1 .. This work is licensed under a Creative Commons Attribution 4.0 International License.
2 .. http://creativecommons.org/licenses/by/4.0
11 The pap, console, pdp-x, brmsgw, and pdp-d components have been migrated from HTTP to HTTPS. Server certificates were derived from the AAF Root CA.
13 AAF is supported for externally facing entry points into the Policy subsystem. These are:
15 * PDP-D supports AAF for its telemetry and healthcheck APIs.
16 * PDP-X supports AAF for its external policy APIs. It is currently disabled as some of clients are not AAF-capable, and this is a global setting.
17 * Console (for Browser Portal redirects) supports AAF when accessed through Portal.
19 +--------+------+------------+-----+-----+---------------------------------+
20 | Policy | Role | Remote |HTTPS| AAF | Notes |
21 +========+======+============+=====+=====+=================================+
22 | pdp-d |server| \* |true |true |Healthcheck and Telemetry APIs |
23 +--------+------+------------+-----+-----+---------------------------------+
24 | pdp-d |client| aaf |true |true |Two-way TLS |
25 +--------+------+------------+-----+-----+---------------------------------+
26 | pdp-d |client| aai |true |true |Runtime Control Loop Execution |
27 +--------+------+------------+-----+-----+---------------------------------+
28 | pdp-d |client| dmaap |true |false|Runtime Control Loop Execution |
29 +--------+------+------------+-----+-----+---------------------------------+
30 | pdp-d |client| so |false|false|Not supported in so |
31 +--------+------+------------+-----+-----+---------------------------------+
32 | pdp-d |client| vfc |false|false|Not supported in vfc |
33 +--------+------+------------+-----+-----+---------------------------------+
34 | pdp-x |server| \* |true |false|Not all clients are AAF-capable |
35 +--------+------+------------+-----+-----+---------------------------------+
36 | pap |server| \* |true |false|Not all clients are AAF-capable |
37 +--------+------+------------+-----+-----+---------------------------------+
38 | console|server| portal |true |true |Redirected from portal |
39 +--------+------+------------+-----+-----+---------------------------------+
40 | brmsgw |client| dmaap |true |false|Runtime Control Loop Execution |
41 +--------+------+------------+-----+-----+---------------------------------+
46 The default demo ONAP installation comes up bootstrapped with the following AAF data with regards to Policy.
49 :caption: Bootstrapped AAF configuration
52 org.onap.policy.access * *
53 org.onap.policy.access * read
54 org.onap.policy.certman local request,ignoreIPs,showpass
56 Portal Permissions (for UI purposes, administered by Portal team):
57 org.onap.policy.menu menu_admin *
58 org.onap.policy.menu menu_ajax *
59 org.onap.policy.menu menu_concept *
60 org.onap.policy.menu menu_customer *
61 org.onap.policy.menu menu_customer_create *
62 org.onap.policy.menu menu_doclib *
63 org.onap.policy.menu menu_feedback *
64 org.onap.policy.menu menu_help *
65 org.onap.policy.menu menu_home *
66 org.onap.policy.menu menu_itracker *
67 org.onap.policy.menu menu_job *
68 org.onap.policy.menu menu_job_create *
69 org.onap.policy.menu menu_job_designer *
70 org.onap.policy.menu menu_logout *
71 org.onap.policy.menu menu_map *
72 org.onap.policy.menu menu_notes *
73 org.onap.policy.menu menu_policy *
74 org.onap.policy.menu menu_process *
75 org.onap.policy.menu menu_profile *
76 org.onap.policy.menu menu_profile_create *
77 org.onap.policy.menu menu_profile_import *
78 org.onap.policy.menu menu_reports *
79 org.onap.policy.menu menu_sample *
80 org.onap.policy.menu menu_tab *
81 org.onap.policy.menu menu_task *
82 org.onap.policy.menu menu_task_search *
83 org.onap.policy.menu menu_test *
84 org.onap.policy.url doclib *
85 org.onap.policy.url doclib_admin *
86 org.onap.policy.url login *
87 org.onap.policy.url policy_admin *
88 org.onap.policy.url policy_dashboard *
89 org.onap.policy.url policy_dictionary *
90 org.onap.policy.url policy_editor *
91 org.onap.policy.url policy_pdp *
92 org.onap.policy.url policy_push *
93 org.onap.policy.url policy_roles *
94 org.onap.policy.url view_reports *
96 PDP-D Permissions for Telemetry REST API access:
97 org.onap.policy.pdpd.healthcheck * get
98 org.onap.policy.pdpd.healthcheck.configuration * get
99 org.onap.policy.pdpd.telemetry * delete
100 org.onap.policy.pdpd.telemetry * get
101 org.onap.policy.pdpd.telemetry * post
102 org.onap.policy.pdpd.telemetry * put
104 PDP-X Permissions for XACML REST APIs:
105 org.onap.policy.pdpx.config * *
106 org.onap.policy.pdpx.createDictionary * *
107 org.onap.policy.pdpx.createPolicy * *
108 org.onap.policy.pdpx.decision * *
109 org.onap.policy.pdpx.getConfig * *
110 org.onap.policy.pdpx.getConfigByPolicyName * *
111 org.onap.policy.pdpx.getDecision * *
112 org.onap.policy.pdpx.getDictionary * *
113 org.onap.policy.pdpx.getMetrics * *
114 org.onap.policy.pdpx.list * *
115 org.onap.policy.pdpx.listConfig * *
116 org.onap.policy.pdpx.listPolicy * *
117 org.onap.policy.pdpx.policyEngineImport * *
118 org.onap.policy.pdpx.pushPolicy * *
119 org.onap.policy.pdpx.sendEvent * *
120 org.onap.policy.pdpx.updateDictionary * *
121 org.onap.policy.pdpx.updatePolicy * *
123 Basic Namespace Admin Roles:
124 org.onap.policy.admin
125 org.onap.policy.owner
126 org.onap.policy.seeCerts
129 org.onap.policy.Account_Administrator
130 org.onap.policy.Policy_Admin
131 org.onap.policy.Policy_Editor
132 org.onap.policy.Policy_Guest
133 org.onap.policy.Policy_Super_Admin
134 org.onap.policy.Policy_Super_Guest
135 org.onap.policy.Standard_User
136 org.onap.policy.System_Administrator
139 org.onap.policy.pdpd.admin
140 org.onap.policy.pdpd.monitor
143 org.onap.policy.pdpx.admin
144 org.onap.policy.pdpx.monitor
147 demo@people.osaaf.org
148 policy@policy.onap.org
151 demo@people.osaaf.org and policy@policy.onap.org are properly configured with AAF in n a default ONAP installation. These are:
155 :caption: Default permissions for demo and policy accounts.
157 List Permissions by User[policy@policy.onap.org]
158 --------------------------------------------------------------------------------
159 PERM Type Instance Action
160 --------------------------------------------------------------------------------
161 org.onap.policy.access * *
162 org.onap.policy.access * read
163 org.onap.policy.certman local request,ignoreIPs,showpass
164 org.onap.policy.pdpd.healthcheck * get
165 org.onap.policy.pdpd.healthcheck.configuration * get
166 org.onap.policy.pdpd.telemetry * delete
167 org.onap.policy.pdpd.telemetry * get
168 org.onap.policy.pdpd.telemetry * post
169 org.onap.policy.pdpd.telemetry * put
170 org.onap.policy.pdpx.createDictionary * *
171 org.onap.policy.pdpx.createPolicy * *
172 org.onap.policy.pdpx.decision * *
173 org.onap.policy.pdpx.getConfig * *
174 org.onap.policy.pdpx.getConfigByPolicyName * *
175 org.onap.policy.pdpx.getDecision * *
176 org.onap.policy.pdpx.getDictionary * *
177 org.onap.policy.pdpx.getMetrics * *
178 org.onap.policy.pdpx.list * *
179 org.onap.policy.pdpx.listConfig * *
180 org.onap.policy.pdpx.listPolicy * *
181 org.onap.policy.pdpx.policyEngineImport * *
182 org.onap.policy.pdpx.pushPolicy * *
183 org.onap.policy.pdpx.sendEvent * *
184 org.onap.policy.pdpx.updateDictionary * *
185 org.onap.policy.pdpx.updatePolicy * *
187 List Permissions by User[demo@people.osaaf.org]
188 --------------------------------------------------------------------------------
189 PERM Type Instance Action
190 --------------------------------------------------------------------------------
191 org.onap.policy.access
192 org.onap.policy.access * read
193 org.onap.policy.menu menu_admin *
194 org.onap.policy.menu menu_ajax *
195 org.onap.policy.menu menu_customer *
196 org.onap.policy.menu menu_customer_create *
197 org.onap.policy.menu menu_feedback *
198 org.onap.policy.menu menu_help *
199 org.onap.policy.menu menu_home *
200 org.onap.policy.menu menu_itracker *
201 org.onap.policy.menu menu_job *
202 org.onap.policy.menu menu_job_create *
203 org.onap.policy.menu menu_logout *
204 org.onap.policy.menu menu_notes *
205 org.onap.policy.menu menu_process *
206 org.onap.policy.menu menu_profile *
207 org.onap.policy.menu menu_profile_create *
208 org.onap.policy.menu menu_profile_import *
209 org.onap.policy.menu menu_reports *
210 org.onap.policy.menu menu_sample *
211 org.onap.policy.menu menu_tab *
212 org.onap.policy.menu menu_test *
213 org.onap.policy.pdpd.healthcheck * get
214 org.onap.policy.pdpd.healthcheck.configuration * get
215 org.onap.policy.pdpd.telemetry * delete
216 org.onap.policy.pdpd.telemetry * get
217 org.onap.policy.pdpd.telemetry * post
218 org.onap.policy.pdpd.telemetry * put
219 org.onap.policy.pdpx.config * *
220 org.onap.policy.pdpx.createDictionary * *
221 org.onap.policy.pdpx.createPolicy * *
222 org.onap.policy.pdpx.decision * *
223 org.onap.policy.pdpx.getConfig * *
224 org.onap.policy.pdpx.getConfigByPolicyName * *
225 org.onap.policy.pdpx.getDecision * *
226 org.onap.policy.pdpx.getDictionary * *
227 org.onap.policy.pdpx.getMetrics * *
228 org.onap.policy.pdpx.list * *
229 org.onap.policy.pdpx.listConfig * *
230 org.onap.policy.pdpx.listPolicy * *
231 org.onap.policy.pdpx.policyEngineImport * *
232 org.onap.policy.pdpx.pushPolicy * *
233 org.onap.policy.pdpx.sendEvent * *
234 org.onap.policy.pdpx.updateDictionary * *
235 org.onap.policy.pdpx.updatePolicy * *
236 org.onap.policy.url doclib *
237 org.onap.policy.url doclib_admin *
238 org.onap.policy.url login *
243 AAF is enabled by default in PDP-D installations. Set the AAF installation variable to false to disable it.
245 +---------------+-------------------------+----------+---------------------------+
246 | Repository | Install File | Variable | Notes |
247 +===============+=========================+==========+===========================+
248 | policy/docker | config/drools/base.conf | AAF | Heat Installation |
249 +---------------+-------------------------+----------+---------------------------+
250 | oom | config/drools/base.conf | AAF | OOM Installation |
251 +---------------+-------------------------+----------+---------------------------+
253 AAF can also be disabled at runtime within the PDP-D container by modifying the following files.
255 +----------------------------------------------------+-----------------------------------------+
257 +====================================================+=========================================+
258 | $POLICY_HOME/config/policy-engine.properties | http.server.services.SECURED-CONFIG.aaf |
259 +----------------------------------------------------+-----------------------------------------+
260 | $POLICY_HOME/config/feature-healthcheck.properties | http.server.services.HEALTHCHECK.aaf |
261 +----------------------------------------------------+-----------------------------------------+
263 After modifying these files, restart the container with "policy stop; policy start"