ONOS CLI uses the Apache Karaf command-console shell and therefore uses the same means to configure the role-based access as Apache Karaf uses. This configuration is divided into two areas.
- configuration of roles required by each command (or a usage variant)
- configuration of roles granted to the user group
Both of these can be configured within the ONOS Apache Karaf directory
Configuring Roles Required By Commands
The roles required for each CLI command (or even command variant) are configured in the file
org.apache.karaf.command.acl.onos.cfg. The default assignments of
admin roles have been done on the basis of whether the command is read-only or whether it actually causes changes to the system. Here's an excerpt of this file:
As new CLI commands or usage variants are added, this file will be updated to properly reflect the required role. Deployments may chose to modify this file to change the default role assignments according to their needs to either further constrain or relax access requirements. Note, that such changes need to be made on all the nodes of the ONOS cluster. ONOS presently does not provide any mechanism to synchronize these changes across the cluster.
Configuring Roles Granted to User Groups
The default authentication scheme relies on
keys.properties files in the Apache Karaf
etc directory. These files hold the user/password/group and user/key/group assignments, respectively. They also hold definitions of groups to which users are assigned. The group definitions are in terms of the roles that have been granted to the group members.
This is what the default users.properfiles file looks like:
It defines three users:
guest and two groups
_g_:admingroup and _
_g_:admingroup has been granted roles
webconsole, whereas the _
g_:guestgroup has been granted only the
viewer role. Therefore, users that belong to the former group, will be able to execute both the commands that require the
admin role and those that require
viewer role, whereas those users that belong to the latter group can execute only those commands requiring the
viewer role, but not those that demand the
Similar group definitions and assignments can be performed in the
keys.properties file as shown in the following example:
Note that changes to these files must be made on each node in the ONOS cluster as ONOS currently does not offer a way to synchronize these configurations throughout the cluster.
Also note that two convenience tools
onos-user-key have been provided to alter these files, but those tools currently work only for users that belong to the
_g_:admingroup. To make custom group definitions and user assignments, direct edits to the files will be needed.