Authentication, Authorization
& Accounting

With lighty.io AAA, you can:

• Create password-protected users with roles and domains
• Restrict users to specific HTTP methods or RESTCONF data paths
• Divide users into groups with distinct capabilities
• Authenticate via HTTP Basic or OAuth2 Bearer tokens

Getting Started

Add the dependency to your Maven project:

<dependency>
    <groupId>io.lighty.aaa</groupId>
    <artifactId>lighty-aaa</artifactId>
    <version>8.0.0-SNAPSHOT</version>
</dependency>

To start the module, create a LightyAAA object and call start(). Use shutdown() to stop it. Once the lighty controller, RestConf, and lighty AAA are running, you can manage users, roles, and domains via REST.

User Management

Create a User

POST /auth/v1/users

{
    "name": "u1",
    "description": "just another new user",
    "enabled": 1,
    "email": "u1@sdn.tech",
    "password": "foo",
    "domainid": "sdn"
}

lighty.io auto-generates a user ID. Expected response: 201 Created.

List Users

GET /auth/v1/users — returns all users with their info. Expected response: 200 OK.

Role Management

Create a Role

POST /auth/v1/roles

{
    "name" : "read-only",
    "description": "This role is for users that have read only rights",
    "domainid": "sdn"
}

Assign a Role to a User (Grant)

POST /auth/v1/domains/{domainid}/users/{userid}/roles

{
    "roleid": "read-only@sdn"
}

Policy Management

Policies define what a role is allowed to do — which HTTP methods are permitted on which RESTCONF paths.

Define a Policy

POST /restconf/data/aaa:http-authorization/policies

{
    "policies": [
      {
        "resource": "/restconf/modules/**",
        "permissions": [
          {
            "role": "read-only",
            "actions": ["get"]
          }
        ],
        "description": "read only policy on restconf/modules"
      }
    ]
}

After this, all users with the read-only role can only perform GET requests on /restconf/modules and its sub-paths.

Domain Management

POST /auth/v1/domains

{
    "name" : "my-domain",
    "description": "Production SDN domain",
    "enabled": true
}

Authentication Methods

Method 1: HTTP Basic Authentication

Encode username:password using Base64 and pass it as the Authorization: Basic <encoded> header.

Method 2: OAuth2 Bearer Token

POST /oauth2/token with Content-Type: application/x-www-form-urlencoded

grant_type=password&username=<user>&password=<pass>&scope=<scope>

Use the returned Bearer token in subsequent requests as Authorization: Bearer <token>.

---