... representing an KeyCloak based identity service for centralized user
management. Please note that the implementation does not support IPv6.
Therefore, its own network is required called 'DMZ'.
+ In this configuration the external https port is 8463.
* **SDN-R** single node instance
... representing the NetConf consumer on the Service Management and
Orchestration framework (SMO) for the O1 interface based on
ODL-Silicon/ONAP-Istanbul
+ SDN-R comes with is own web-portal the external port is 8463.
* **VES collector**
- ... representing the VES (REST) provider at SMO for all kind of events.
+ ... representing the VES (REST) provider at SMO for all kind of events. In this configuration the external https port is 8443.
* **DMaaP**
... representing SMO DMaaP component, includes message-router
* **Non-RT-RIC**
... representing all the components of Non-RT-RIC, includes Non-RT-RIC Control Panel, Non-RT-RIC (Spring Cloud) Service Gateway, A1 Policy Management Services,
- Enrichment Data Coordinator, Non-RT-RIC App Catalogue, "Helloworld" O-RU Fronthaul Recovery use-case, Near-RT RIC A1 Simulator etc.
+ Enrichment Data Coordinator, Non-RT-RIC App Catalogue, "HelloWorld" O-RU Fronthaul Recovery use-case, Near-RT RIC A1 Simulator etc.
## Prerequisites
PRETTY_NAME="Ubuntu 20.04.2 LTS"
$ docker --version
-Docker version 20.10.2, build 20.10.2-0ubuntu1~20.04.2
+Docker version 20.10.7, build 20.10.7-0ubuntu1~20.04.2
$ docker-compose version
docker-compose version 1.29.1, build c34c88b2
CPython version: 3.7.10
OpenSSL version: OpenSSL 1.1.0l 10 Sep 2019
+
$ git --version
git version 2.25.1
<deployment-system-ipv4> identity <your-system>
```
+It is beneficial (but not mandatory) adding the following line add the
+end of your ~/.bashrc file. I will suppress warnings when python script
+do not verify self signed certificates for HTTPS communication.
+```
+export PYTHONWARNINGS="ignore:Unverified HTTPS request"
+```
+
## Expected Folder Structure
```
nano network/.env
```
+The tested configuration uses the following external https ports:
+
+ * 8443 for the ves-collector
+ * 8453 for web access to ODLUX (SDNC_WEB_PORT)
+ * 8463 for the keyclock web administrator user interface.
+
#### Startup solution
Please note that it is necessary to configure first the identity service,
bash prepareEcsData.sh
```
-script `prepareEcsData.sh` sends http requests to ecs service, and creates data accordingly.
+script `prepareIcsData.sh` sends http requests to ics service, and creates data accordingly.
Afterwards, open webpage:
<http://localhost:8182/>
dockerFilter = subprocess.check_output("docker ps --format '{{.Names}}'", shell=True)
containers = dockerFilter.splitlines()
-mapping = dict({"ntsim-ng-o-ru": "highstreet-O-RU", "ntsim-ng-o-du": "highstreet-O-DU"})
+mapping = dict({"ntsim-ng-o-ru": "O-RU", "ntsim-ng-o-du": "O-DU"})
# base = 'https://sdnc-web:8453'
base = 'https://localhost:8453'
username = 'admin'
<<: *common_nf
image: "${NEXUS3_DOCKER_REPO}nts-ng-o-ran-du:${NTS_BUILD_VERSION}"
container_name: ntsim-ng-o-du-1122
- hostname: highstreet-O-DU-1122
+ hostname: O-DU-1122
volumes:
- ./ntsim-ng-o-du/config.json:/opt/dev/ntsim-ng/config/config.json
- ./ntsim-ng-o-du/o-ran-sc-du-hello-world-running.xml:/opt/dev/deploy/data/o-ran-sc-du-hello-world-running.xml
<<: *common_nf
image: "${NEXUS3_DOCKER_REPO}nts-ng-o-ran-ru-fh:${NTS_BUILD_VERSION}"
container_name: ntsim-ng-o-ru-fh-11221
- hostname: highstreet-O-RU-11221
+ hostname: O-RU-11221
volumes:
- ./ntsim-ng-o-ru/ntsim-ng-o-ru-fh-1/config.json:/opt/dev/ntsim-ng/config/config.json
- ./ntsim-ng-o-ru/ntsim-ng-o-ru-fh-1/ietf-hardware-operational.json:/opt/dev/deploy/data/ietf-hardware-operational.json
<<: *common_nf
image: "${NEXUS3_DOCKER_REPO}nts-ng-o-ran-ru-fh:${NTS_BUILD_VERSION}"
container_name: ntsim-ng-o-ru-fh-11222
- hostname: highstreet-O-RU-11222
+ hostname: O-RU-11222
volumes:
- ./ntsim-ng-o-ru/ntsim-ng-o-ru-fh-2/config.json:/opt/dev/ntsim-ng/config/config.json
- ./ntsim-ng-o-ru/ntsim-ng-o-ru-fh-2/ietf-hardware-operational.json:/opt/dev/deploy/data/ietf-hardware-operational.json
<<: *common_nf
image: "${NEXUS3_DOCKER_REPO}nts-ng-o-ran-ru-fh:${NTS_BUILD_VERSION}"
container_name: ntsim-ng-o-ru-fh-11223
- hostname: highstreet-O-RU-11223
+ hostname: O-RU-11223
volumes:
- ./ntsim-ng-o-ru/ntsim-ng-o-ru-fh-3/config.json:/opt/dev/ntsim-ng/config/config.json
- ./ntsim-ng-o-ru/ntsim-ng-o-ru-fh-3/ietf-hardware-operational.json:/opt/dev/deploy/data/ietf-hardware-operational.json
<<: *common_nf
image: "${NEXUS3_DOCKER_REPO}smo-nts-ng-topology-server:${NTS_BUILD_VERSION}"
container_name: ntsim-ng-topology-server
- hostname: highstreet-TAPI-topology-server
+ hostname: TAPI-topology-server
volumes:
- ./ntsim-ng-topology-server/config.json:/opt/dev/ntsim-ng/config/config.json
- ./ntsim-ng-topology-server/tapi-common-operational.xml:/opt/dev/deploy/data/tapi-common-operational.xml
<<: *common_env
<<: *topo_env
SSH_CONNECTIONS: 1
- TLS_CONNECTIONS: 0
+ TLS_CONNECTIONS: 0
networks:
default:
external:
<distinguished-name-prefix>CN=KarenBerge,CN=admin,DC=corp,DC=Fabrikam,DC=COM</distinguished-name-prefix>
<location-name>address name</location-name>
<distributed-unit-functions>
- <id>O-DU-1211</id>
+ <id>O-DU-1122</id>
<administrative-state>locked</administrative-state>
<operational-state>enabled</operational-state>
<user-label>o-du-1</user-label>
<user-label>nf1</user-label>
<distinguished-name-prefix>CN=KarenBerge,CN=admin,DC=corp,DC=Fabrikam,DC=COM</distinguished-name-prefix>
<distributed-unit-functions>
- <id>O-DU-1211</id>
+ <id>O-DU-1122</id>
<administrative-state>unlocked</administrative-state>
<user-label>o-du-1</user-label>
<cell>
# Identity server
IDENTITY_IMAGE=quay.io/keycloak/keycloak:12.0.4
-IDENTITY_PORT=8081
-IDENTITY_PROVIDER_URL=http://identity:8081
+IDENTITY_PORT=8463
+IDENTITY_PROVIDER_URL=https://identity:8463
# Topology server
TOPOLOGY_IMAGE=docker.io/hightec/smo-topology-api-v2:2.0.2-SNAPSHOT-20210315T160448Z
image: ${IDENTITY_IMAGE}
container_name: identity
ports:
- - ${IDENTITY_PORT}:${IDENTITY_PORT}
+ - ${IDENTITY_PORT}:8443
environment:
- KEYCLOAK_USER=${ADMIN_USERNAME}
- KEYCLOAK_PASSWORD=${ADMIN_PASSWORD}
- - JAVA_OPTS=-Djboss.http.port=${IDENTITY_PORT}
+ - JAVA_OPTS=-Djboss.bind.address.private=[::1] -Djboss.bind.address=[::1] -Djava.net.preferIPv6Addresses=true -Djava.net.preferIPv4Stack=false
+ - DB_VENDOR=h2
networks:
dmz:
# global configurations
# TODO: read from ../.env
-base = 'http://localhost:8081'
+base = 'https://identity:8463'
username = 'admin'
password = 'Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U'
realmFile = os.path.dirname(os.path.abspath(__file__)) + '/o-ran-sc-realm.json'
raise SystemExit(e)
if response.status_code >= 200 and response.status_code < 300:
- print('Got tocken!')
+ print('Got token!')
return response.json()['access_token']
else:
sys.exit('Getting token failed.')
"clientAuthenticatorType": "client-secret",
"secret": "2a64fdca-c205-4b52-9f58-195ccc142ddb",
"redirectUris": [
- "http://localhost:8081/*",
"https://sdnc-web:8453/*"
],
"webOrigins": [],
},
"keycloakVersion": "12.0.4",
"userManagedAccessAllowed": false
-}
+}
\ No newline at end of file
#
#PMS
-PMS_IMAGE_BASE="nexus3.o-ran-sc.org:10002/o-ran-sc/nonrtric-policy-agent"
-PMS_IMAGE_TAG="2.2.0"
+PMS_IMAGE_BASE="nexus3.o-ran-sc.org:10002/o-ran-sc/nonrtric-a1-policy-management-service"
+PMS_IMAGE_TAG="2.3.1"
#A1_SIM
A1_SIM_IMAGE_BASE="nexus3.o-ran-sc.org:10002/o-ran-sc/a1-simulator"
-A1_SIM_IMAGE_TAG="2.1.0"
+A1_SIM_IMAGE_TAG="2.2.0"
#RAPP
RAPP_IMAGE_BASE="nexus3.o-ran-sc.org:10002/o-ran-sc/nonrtric-r-app-catalogue"
-RAPP_IMAGE_TAG="1.0.0"
+RAPP_IMAGE_TAG="1.0.2"
#CONTROL_PANEL
CONTROL_PANEL_IMAGE_BASE="nexus3.o-ran-sc.org:10002/o-ran-sc/nonrtric-controlpanel"
-CONTROL_PANEL_IMAGE_TAG="2.2.0"
+CONTROL_PANEL_IMAGE_TAG="2.3.0"
#GATEWAY
NONRTRIC_GATEWAY_IMAGE_BASE="nexus3.o-ran-sc.org:10002/o-ran-sc/nonrtric-gateway"
#ICS
ICS_IMAGE_BASE="nexus3.o-ran-sc.org:10002/o-ran-sc/nonrtric-information-coordinator-service"
-ICS_IMAGE_TAG="1.2.0"
+ICS_IMAGE_TAG="1.2.1"
#PRODUCER
PRODUCER_IMAGE_BASE="eexit/mirror-http-server"
#ORU
ORU_APP_IMAGE_BASE="nexus3.o-ran-sc.org:10002/o-ran-sc/nonrtric-o-ru-closed-loop-recovery"
-ORU_APP_IMAGE_TAG="1.0.0"
+ORU_APP_IMAGE_TAG="1.0.1"
#ODU
ODU_APP_IMAGE_BASE="nexus3.o-ran-sc.org:10002/o-ran-sc/nonrtric-o-du-slice-assurance"
-ODU_APP_IMAGE_TAG="1.0.0"
+ODU_APP_IMAGE_TAG="1.0.1"
#DB
DB_IMAGE_BASE="mariadb"
#A1CONTROLLER
A1CONTROLLER_IMAGE_BASE="nexus3.onap.org:10002/onap/sdnc-image"
-A1CONTROLLER_IMAGE_TAG="2.1.2"
\ No newline at end of file
+A1CONTROLLER_IMAGE_TAG="2.1.6"
\ No newline at end of file
NETWORK_GATEWAY_OAM_IPv6=2001:db8:1:50::1
# Identity server
-IDENTITY_PROVIDER_URL=http://identity:8081
+IDENTITY_PROVIDER_URL=https://identity:8463
# SDN Controller
SDNC_IMAGE=nexus3.onap.org:10001/onap/sdnc-image:2.2.3
- IDENTITY_PROVIDER_URL=${IDENTITY_PROVIDER_URL}
- SDNC_WEB_URL=https://sdnc-web:${SDNC_WEB_PORT}
volumes:
+ - ./sdnr/oauth-aaa-app-config.xml:/opt/opendaylight/current/system/org/opendaylight/aaa/aaa-shiro/0.13.3/aaa-shiro-0.13.3-aaa-app-config.xml
- ./sdnr/oauth-provider.config.json:/opt/opendaylight/etc/oauth-provider.config.json
- ./sdnr/devicemanager.properties:/opt/opendaylight/etc/devicemanager.properties
- ./sdnr/mountpoint-registrar.properties:/opt/opendaylight/etc/mountpoint-registrar.properties
--- /dev/null
+<?xml version="1.0" ?>
+<!--
+ ~ ============LICENSE_START=======================================================
+ ~ ONAP : ccsdk features
+ ~ ================================================================================
+ ~ Copyright (C) 2021 highstreet technologies GmbH Intellectual Property.
+ ~ All rights reserved.
+ ~ ================================================================================
+ ~ Licensed under the Apache License, Version 2.0 (the "License");
+ ~ you may not use this file except in compliance with the License.
+ ~ You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ ~ ============LICENSE_END=======================================================
+ ~
+ -->
+
+<shiro-configuration xmlns="urn:opendaylight:aaa:app:config">
+
+
+ <main>
+ <pair-key>tokenAuthRealm</pair-key>
+ <pair-value>org.onap.ccsdk.features.sdnr.wt.oauthprovider.OAuth2Realm</pair-value>
+ </main>
+
+ <main>
+ <pair-key>securityManager.realms</pair-key>
+ <pair-value>$tokenAuthRealm</pair-value>
+ </main>
+ <!-- Used to support OAuth2 use case. -->
+ <main>
+ <pair-key>authcBasic</pair-key>
+ <pair-value>org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter</pair-value>
+ </main>
+ <main>
+ <pair-key>anyroles</pair-key>
+ <pair-value>org.opendaylight.aaa.shiro.filters.AnyRoleHttpAuthenticationFilter</pair-value>
+ </main>
+ <main>
+ <pair-key>authcBearer</pair-key>
+ <pair-value>org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter2</pair-value>
+ </main>
+
+ <!-- in order to track AAA challenge attempts -->
+ <main>
+ <pair-key>accountingListener</pair-key>
+ <pair-value>org.opendaylight.aaa.shiro.filters.AuthenticationListener</pair-value>
+ </main>
+ <main>
+ <pair-key>securityManager.authenticator.authenticationListeners</pair-key>
+ <pair-value>$accountingListener</pair-value>
+ </main>
+
+ <!-- Model based authorization scheme supporting RBAC for REST endpoints -->
+ <main>
+ <pair-key>dynamicAuthorization</pair-key>
+ <pair-value>org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter</pair-value>
+ </main>
+
+
+ <urls>
+ <pair-key>/**/operations/cluster-admin**</pair-key>
+ <pair-value>authcBearer, roles[admin]</pair-value>
+ </urls>
+ <urls>
+ <pair-key>/**/v1/**</pair-key>
+ <pair-value>authcBearer, roles[admin]</pair-value>
+ </urls>
+ <urls>
+ <pair-key>/**/config/aaa*/**</pair-key>
+ <pair-value>authcBearer, roles[admin]</pair-value>
+ </urls>
+ <urls>
+ <pair-key>/oauth/**</pair-key>
+ <pair-value>anon</pair-value>
+ </urls>
+ <urls>
+ <pair-key>/odlux/**</pair-key>
+ <pair-value>anon</pair-value>
+ </urls>
+ <urls>
+ <pair-key>/apidoc/**</pair-key>
+ <pair-value>authcBasic</pair-value>
+ </urls>
+ <urls>
+ <pair-key>/rests/**</pair-key>
+ <pair-value>authcBearer, anyroles["admin,provision"]</pair-value>
+ </urls>
+ <urls>
+ <pair-key>/**</pair-key>
+ <pair-value>authcBearer, anyroles["admin,provision"]</pair-value>
+ </urls>
+</shiro-configuration>
{
- "tokenSecret": "my-secret",
- "tokenIssuer": "ONAP-SDNC",
- "publicUrl": "${SDNC_WEB_URL}",
- "redirectUri": "/odlux/index.html#/oauth?token=",
- "supportOdlUsers": "true",
- "providers": [
- {
- "id": "identity",
- "type": "KEYCLOAK",
- "url": "http://identity:8081",
- "clientId": "odlux.app",
- "secret": "2a64fdca-c205-4b52-9f58-195ccc142ddb",
- "scope": "openid",
- "title": "ONAP-IDENTITY",
- "roleMapping": {
- "administration": "admin"
- },
- "realmName": "onap",
- "trustAll": "true"
+ "tokenSecret": "my-secret",
+ "tokenIssuer": "ONAP-SDNC",
+ "publicUrl": "https://sdnc-web:8453",
+ "redirectUri": "/odlux/index.html#/oauth?token=",
+ "supportOdlUsers": "true",
+ "providers": [
+ {
+ "id": "identity",
+ "type": "KEYCLOAK",
+ "url": "https://identity:8463",
+ "internalUrl": "https://identity:8443",
+ "clientId": "odlux.app",
+ "secret": "2a64fdca-c205-4b52-9f58-195ccc142ddb",
+ "scope": "openid",
+ "title": "ONAP-IDENTITY",
+ "roleMapping": {
+ "administration": "admin"
+ },
+ "realmName": "onap",
+ "trustAll": "true"
}
]
-}
+}
\ No newline at end of file