Do you need an SDN controller which you can run quickly?
Is security one of your concerns?
Do you need to divide the users into groups and restrict their capabilities for certain tasks?

Meet Lighty AAA
With Lighty AAA, You can create password protected users. You can assign a role and a domain and define their capabilities. You can restrict users to a certain method or give them permission to access data only on a specific path.

Use following dependency to give Lighty AAA a try.

<dependency>
   <groupId>io.lighty.aaa</groupId>
   <artifactId>lighty-aaa</artifactId>
   <version>8.0.0-SNAPSHOT</version>
</dependency>

To start this module simply create an Lighty AAA object and call a start method. You can use shutdown method to stop this module. Once the Lighty controller and RestConf with Lighty AAA are up and running you may start to create new users, roles, and domains. You can assign roles to the users, create policies for, and grant permissions to the users.

Here is how to create a user

You should use POST request to create a user:
path: http://<ip>:<port>/auth/v1/users

with body:

{
    "name": "u1",
    "description": "just another new user",
    "enabled": 1,
    "email": "u1@sdn.tech",
    "password": "foo",
    "salt": "foo",
    "domainid": "sdn"
}

Lighty will automatically generate a user id for you and save it into the database. The expected response should be the following:
201 Created

{
    "userid": "u1@sdn",
    "name": "u1",
    "description": "just another new user",
    "enabled": 1,
    "email": "u1@sdn.tech",
    "password": "**********",
    "salt": "**********",
    "domainid": "sdn"
}

Here is how to list users

This GET request should bring up a list of users with their information:

path: http://<ip>:<port>/auth/v1/users

Now we expect a response with a list of users with their information:
200 OK

{
    "users": [
        {
            "userid": "admin@sdn",
            "name": "admin",
            "description": "admin user",
            "enabled": 1,
            "email": "",
            "password": "**********",
            "salt": "**********",
            "domainid": "sdn"
        },
        {
            "userid": "u1@sdn",
            "name": "u1",
            "description": "just another new user",
            "enabled": 1,
            "email": "u1@sdn.tech",
            "password": "**********",
            "salt": "**********",
            "domainid": "sdn"
        }
    ]
}

Although the user is created it is not enough to use him for making a request. If we use the credentials of this new created user, we would receive a response ‘unauthorized’. To resolve this issue; we need to create a grant to the user. This means that we have to assign a role to the user.

So how to create a grant

You should use POST request to create a grant:
path: http://<ip>:<port>/auth/v1/domains/<domain-id>/users/<user-id>/roles

with body:

{
    "roleid": "<role-id>"
}

Lighty will process this request by writing a new data to grant table of the database with specific user-id and role-id under the chosen domain. The expected response should be the following: 201 Created

{
    "grantid": "<user-id>@<role-id>@<domain-id>",
    "domainid": "<domain-id>",
    "userid": "<user-id>",
    "roleid": "<role-id>"
}

Here is how to list roles

This GET request should bring up a list of roles with their information.
path: http://<ip>:<port>/auth/v1/roles

Now we expect a response with a list of roles with their information:
200 OK

{
    "roles": [
        {
            "roleid": "admin@sdn",
            "name": "admin",
            "description": "a role for admins",
            "domainid": "sdn"
        },
        {
            "roleid": "user@sdn",
            "name": "user",
            "description": "a role for users",
            "domainid": "sdn"
        }
    ]
}

This is perfect if we need to divide our users to admin role which would have the capability to create, remove, and update users. The user role would have the capability to do operations on datastore.
But what if we need to create more roles? Such as a role where the user can only read data or a role where the user can do operations only on a specific path. In order to do that, we need to follow these two steps:

1: Create a new role
2: Define a policy for the role

Here is how to create a role

You should use POST request to create a role:
path: http://<ip>:<port>/auth/v1/roles

with body:

{
    "name" : "read-only",
    "description": "This role is for users that have read only rights",
    "domainid": "sdn"
}

Lighty will write this role to the roles table in the database so it can be used to assign this role to the user or to update a policy for this role. When creating a role we expect following response: 201 Created

{
    "roleid": "read-only@sdn",
    "name": "read-only",
    "description": "This role is for users that have read only rights",
    "domainid": "sdn"
}

Here is how to define a policy for a specific role

The meaning of defining policy to a role is to manage what the given role can do. By defining a policy you can restrict a role; to use specific HTTP methods or access data only under specific list or container.
You should create POST request to define a policy:
path: http://<ip>:<port>/restconf/data/aaa:http-authorization/policies

with body:

{
    "policies": [
      {
        "resource": "/restconf/modules/**",
        "permissions": [
          {
            "role": "read-only",
            "actions": [
             "get"
            ]
          }
        ],
        "description": "read only policy on restconf/modules list"
      }
    ]
}

After this request all the users who have assigned role of “read-only”, will be able to do only GET request on path http://<ip>:<port>/retconf/modules and what “modules” contains.

Here is how to list policies

We can use following GET request to see all the policies which are created:
path: http://<ip>:<port>/restconf/data/aaa:http-authorization/policies

Now we expect a response with a list of policies with their information:
200 OK

{
    "policies": {
        "policies": [
            {
                "resource": "/restconf/modules/**",
                "permissions": [
                    {
                        "role": "read-only",
                        "actions": [
                            "get"
                        ]
                    }
                ],
                "description": "read only policy on restconf/modules list"
            },
            {
                "resource": "/restconf/**",
                "permissions": [
                    {
                        "role": "users",
                        "actions": [
                            "get"
                        ]
                    }
                ],
                "description": "read only policy on restconf list"
            }
        ]
    }
}

Here is How to create a domain

We should use following POST request to create a new domain:
path: http://<ip>:<port>/auth/v1/domains

with body:

{
    "name" : "<domain-name>",
    "description": "<domain-description>",
    "enabled": true
}

Lighty AAA will create a domain id and this domain will be written into the domains table of the database. The expected response should be the following:

{
    "domainid": "<domain-id>",
    "name": "<domain-name>",
    "description": "<domain-description>",
    "enabled": true
}

Here is how to list domains

We can use following GET request to see all the domains that are created:
path: http://<ip>:<port>/auth/v1/domains

Now we expect a response with a list of domains with their information:
200 OK

{
    "domains": [
        {
            "domainid": "<domain-id>",
            "name": "<domain-name>",
            "description": "<domain-description>",
            "enabled": true
        },
        {
            "domainid": "<domain-id>",
            "name": "<domain-name>",
            "description": "<domain-description>",
            "enabled": false
        }
    ]
}

How to authenticate

There are two ways to authenticate the user:
1: We can use HTTP basic authentication.
2: We can use oauth2 to generate tokens.

Method 1: HTTP basic authentication

For this, we need username and password separated by column encrypted using base64 encryption. The resulting encryption can be used as a header with key “Authorization” and value “Basic <encrpyted_username_password>”

Method 2: Oauth2 authentication

The second option is to generate a Bearer token. To generate token we can do POST request:
path: http://<ip>:<port>/oauth2/token
Content-Type : application/x-www-form-urlencoded

with body:

grant_type=password&username=<username>&password=<password>&scope=<domain-name>

Now, you should be ready to use authentication, authorization and accounting with lighty.io.

 

Miroslav Kováč

Categories: lighty.io