The controller must have:
• The valid trusted CA signed identity and CA certificates configured in the controller keystore
• The CA certificate must be configured in the controller truststore
• The authentication manager ConnSSLClientAuth should be set to true to enforce mutual
authentication
Keystone should be configured to:
• Use valid trusted CA signed identity certificate
• Configure trusted CA to be used to validate client certificates
• Require SSL
• Require the client certificate to be valid
Role-Based Access Control (RBAC)
HPE VAN SDN Controller supports limited RBAC (Role Based Access Control). The SDN
Controller currently enforces a single role which has access to all controller features. By default,
the single role is sdn-admin. The authenticated user must have this role in order to be granted
access to the controller. You must ensure that Keystone is configured to grant this role.
The applications installed on the SDN Controller can enforce RBAC to meet their security
requirements.
Assigning a user to a role
To assign a user the sdn-admin role and give the user access to the desired SDN Controller:
1. Create a tenant (the example creates a test tenant):
curl -H "X-Auth-Token:ADMIN" -H "Content-Type: application/json"
-d '{"tenant": {"enabled": true, "name": "test-tenant", "description": "Test Tenant"}}'
http://<controller-ip>:35357/v2.0/tenants
2. List tenants:
curl -H "X-Auth-Token:ADMIN" http://<controller-ip>:35357/v2.0/tenants
3. Create a user:
curl -H "X-Auth-Token:ADMIN" -H "Content-Type: application/json"
-d '{"user": {"email": "tester@test.rose.hp.com", "password": "somepass", "enabled": true,
"name": "test-user", "tenantId": "2c851897a09f483fa452e2de11511f71"}}'
http://<controller-ip>:35357/v2.0/users
4. List users:
curl -H "X-Auth-Token:ADMIN" http://<controller-ip>:35357/v2.0/users
5. Create a role:
curl -H "X-Auth-Token:ADMIN" -H "Content-Type: application/json" -d '{"role": {"name": "test-role"}}'
http://<controller-ip>:35357/v2.0/OS-KSADM/roles
6. List roles:
curl -H "X-Auth-Token:ADMIN" http://<controller-ip>:35357/v2.0/OS-KSADM/roles
7. Assign a user to a role:
curl -X PUT -H "X-Auth-Token:ADMIN";
http://<controller-ip>:35357/v2.0/tenants/<tenant-id>/users/<user-id>/roles/OS-KSADM/<role-id>
8. List roles for a user for a given tenant:
curl -X GET -H "X-Auth-Token:ADMIN" http://<controller-ip>/v2.0/tenants/<tenant-id>/users/<user-id>/roles
Example
1. List tenants
root@sdnctl1:/var# curl -H "X-Auth-Token:ADMIN" http://192.168.4.61:35357/v2.0/tenants | python -mjson.tool
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 243 100 243 0 0 38786 0 --:--:-- --:--:-- --:--:-- 40500
118 Security
To Next Page
Loading...
