.. code-block:: json
{
- "spring.datasource.cldsdb.url": "jdbc:mariadb://anotherDB.onap.org:3306/cldsdb4?verifyServerCertificate=false&useSSL=false&requireSSL=false&autoReconnect=true",
- "spring.datasource.cldsdb.username": "admin",
- "spring.datasource.cldsdb.password": "password",
-
- "clamp.config.dcae.inventory.url": "http://dcaegen2.host:8080",
- "clamp.config.dcae.dispatcher.url": "http://dcaegen2.host:8188",
- "clamp.config.policy.pdpUrl1": "https://policy-pdp.host:9091/pdp/ , testpdp, alpha123",
- "clamp.config.policy.pdpUrl2": "https://policy-pdp.host:9091/pdp/ , testpdp, alpha123",
- "clamp.config.policy.papUrl": "https://policy-pap.host:8443/pap/ , testpap, alpha123",
- "clamp.config.policy.clientKey": "5CE79532B3A2CB4D132FC0C04BF916A7",
- "clamp.config.files.sdcController":"file:/opt/clamp/config/sdc-controllers-config.json",
- "clamp.config.cadi.aafLocateUrl": "https://aaf-locate.onap:8095",
+ "spring.datasource.cldsdb.url": "jdbc:mariadb:sequential://clampdb.{{ include "common.namespace" . }}:3306/cldsdb4?autoReconnect=true&connectTimeout=10000&socketTimeout=10000&retriesAllDown=3",
+ "clamp.config.files.sdcController": "file:/opt/clamp/sdc-controllers-config.json",
+ "clamp.config.dcae.inventory.url": "https://inventory.{{ include "common.namespace" . }}:8080",
+ "clamp.config.dcae.dispatcher.url": "https4://deployment-handler.{{ include "common.namespace" . }}:8443",
+ "clamp.config.dcae.deployment.url": "https4://deployment-handler.{{ include "common.namespace" . }}:8443",
+ "clamp.config.dcae.deployment.userName": "none",
+ "clamp.config.dcae.deployment.password": "none",
+ "clamp.config.policy.api.url": "https4://policy-api.{{ include "common.namespace" . }}:6969",
+ "clamp.config.policy.api.userName": "healthcheck",
+ "clamp.config.policy.api.password": "zb!XztG34",
+ "clamp.config.policy.pap.url": "https4://policy-pap.{{ include "common.namespace" . }}:6969",
+ "clamp.config.policy.pap.userName": "healthcheck",
+ "clamp.config.policy.pap.password": "zb!XztG34",
+ "clamp.config.cadi.aafLocateUrl": "https://aaf-locate.{{ include "common.namespace" . }}:8095",
"com.att.eelf.logging.path": "/opt/clamp",
"com.att.eelf.logging.file": "logback.xml"
}
This file is a JSON that must be specified to Spring config, here is an example:
.. code-block:: json
- {
- "sdc-connections":{
- "sdc-controller1":{
- "user": "clamp",
- "consumerGroup": "consumerGroup1",
- "consumerId": "consumerId1",
- "environmentName": "AUTO",
- "sdcAddress": "localhost:8443",
- "password": "b7acccda32b98c5bb7acccda32b98c5b05D511BD6D93626E90D18E9D24D9B78CD34C7EE8012F0A189A28763E82271E50A5D4EC10C7D93E06E0A2D27CAE66B981",
- "pollingInterval":30,
- "pollingTimeout":30,
- "activateServerTLSAuth":"false",
- "keyStorePassword":"",
- "keyStorePath":"",
- "messageBusAddresses":["dmaaphost.com"]
- },
- "sdc-controller2":{
- "user": "clamp",
- "consumerGroup": "consumerGroup1",
- "consumerId": "consumerId1",
- "environmentName": "AUTO",
- "sdcAddress": "localhost:8443",
- "password": "b7acccda32b98c5bb7acccda32b98c5b05D511BD6D93626E90D18E9D24D9B78CD34C7EE8012F0A189A28763E82271E50A5D4EC10C7D93E06E0A2D27CAE66B981",
- "pollingInterval":30,
- "pollingTimeout":30,
- "activateServerTLSAuth":"false",
- "keyStorePassword":"",
- "keyStorePath":"",
- "messageBusAddresses":["dmaaphost.com"]
+
+ {
+ "sdc-connections":{
+ "sdc-controller1":{
+ "user": "clamp",
+ "consumerGroup": "consumerGroup1",
+ "consumerId": "consumerId1",
+ "environmentName": "AUTO",
+ "sdcAddress": "localhost:8443",
+ "password": "b7acccda32b98c5bb7acccda32b98c5b05D511BD6D93626E90D18E9D24D9B78CD34C7EE8012F0A189A28763E82271E50A5D4EC10C7D93E06E0A2D27CAE66B981",
+ "pollingInterval":30,
+ "pollingTimeout":30,
+ "activateServerTLSAuth":"false",
+ "keyStorePassword":"",
+ "keyStorePath":"",
+ "messageBusAddresses":["dmaaphost.com"]
+ },
+ "sdc-controller2":{
+ "user": "clamp",
+ "consumerGroup": "consumerGroup1",
+ "consumerId": "consumerId1",
+ "environmentName": "AUTO",
+ "sdcAddress": "localhost:8443",
+ "password": "b7acccda32b98c5bb7acccda32b98c5b05D511BD6D93626E90D18E9D24D9B78CD34C7EE8012F0A189A28763E82271E50A5D4EC10C7D93E06E0A2D27CAE66B981",
+ "pollingInterval":30,
+ "pollingTimeout":30,
+ "activateServerTLSAuth":"false",
+ "keyStorePassword":"",
+ "keyStorePath":"",
+ "messageBusAddresses":["dmaaphost.com"]
+ }
+ }
}
- }
- }
Multiple controllers can be configured so that Clamp is able to receive the notifications from different SDC servers.
Each Clamp existing in a cluster should have different consumerGroup and consumerId so that they can each consume the SDC notification.
Administration
--------------
-A user can access CLAMP UI at the following URL : https://localhost:8443/designer/index.html.
+A user can access CLAMP UI at the following URL : https://localhost:443/designer/index.html.
(in this URL 'localhost' must be replaced by the actual host where CLAMP has been installed if it is not your current localhost)
-For OOM, the URL is https://<host-ip>:30258/designer/index.html
+For OOM, the URL is https://<host-ip>:30258
.. code-block:: html
+
- Without AAF, the credentials are
Default username : admin
Default password : password
ca path: src/main/resources/clds/aaf/org.onap.clamp.p12, password "China in the Spring"
Or get it from this page : https://wiki.onap.org/display/DW/Control+Loop+Flows+and+Models+for+Casablanca
+A user can access the Control-Loop DashBoard (ELK stack based) at the following URL : https://localhost:5601 .
+(in this URL 'localhost' must be replaced by the actual host where CLAMP has been installed if it is not your current localhost)
+For OOM, the URL is https://<host-ip>:30290. Since El Alto release, User access is protected using the Search Guard plugin, community Edition!,
+for Kibana and ElasticSearch. The initial users and credentials provided by the Search Guard plugins are used by default.
+(take a look at the files in the ElasticSearch docker image located in the folder: /usr/share/elasticsearch/config/sg/,
+especially the file "sg_internal_users.yml").
+
Human Interfaces
----------------
.. Basic info on the interface type, ports/protocols provided over, etc.
Version: 4.1.2
--------------
-:Release Date: 2019-09-16
+:Release Date: 2019-09-18
**New Features**
**Known Issues**
+ - `CLAMP-506 <https://jira.onap.org/browse/CLAMP-506>`_ Elastic Search Clamp image cannot be built anymore(SearchGuard DMCA issue)
+
**Security Notes**
</configuration>
</execution>
</executions>
-
</plugin>
<plugin>
<groupId>io.fabric8</groupId>
</assembly>
</build>
</image>
- <image>
- <name>onap/clamp-dashboard-elasticsearch</name>
- <alias>onap-clamp-dashboard-elasticsearch</alias>
- <run>
- <skip>true</skip>
- </run>
- <build>
- <cleanup>true</cleanup>
- <tags>
- <tag>latest</tag>
- <tag>${project.docker.latesttagtimestamp.version}</tag>
- <tag>${project.docker.latesttag.version}</tag>
- </tags>
- <dockerFile>elasticsearch/Dockerfile</dockerFile>
- </build>
- </image>
<image>
<name>onap/clamp-dashboard-logstash</name>
<alias>onap-clamp-dashboard-logstash</alias>
--- /dev/null
+distribution_type: 'container'
+container_release_tag: '4.1.2'
+project: 'clamp'
+log_dir: 'clamp-maven-docker-stage-master/121/'
+ref: 9fb87912f025e85b26c238d286d87e0e1c9c767a
+containers:
+ - name: 'clamp-backend'
+ version: '4.1-STAGING-20190916T192828Z'
+ - name: 'clamp-frontend'
+ version: '4.1-STAGING-20190916T192828Z'
+ - name: 'clamp-dashboard-logstash'
+ version: '4.1-STAGING-20190916T192828Z'
+ - name: 'clamp-dashboard-kibana'
+ version: '4.1-STAGING-20190916T192828Z'
--- /dev/null
+---
+distribution_type: 'maven'
+version: '4.1.2'
+project: 'clamp'
+log_dir: 'clamp-maven-stage-master/133/'
\ No newline at end of file
# HTTP
# basic (challenging)
# proxy (not challenging, needs xff)
-# kerberos (challenging) NOT FREE FOR COMMERCIAL
# clientcert (not challenging, needs https)
-# jwt (not challenging) NOT FREE FOR COMMERCIAL
# host (not challenging) #DEPRECATED, will be removed in a future version.
# host based authentication is configurable in sg_roles_mapping
# Authc
# internal
# noop
-# ldap NOT FREE FOR COMMERCIAL USE
# Authz
-# ldap NOT FREE FOR COMMERCIAL USE
# noop
+#
+# Some SearchGuard functionality is licensed under Apache-2.0, while other functionality is non-free;
+# see https://github.com/floragunncom/search-guard. The functionality enabled in this configuration
+# file only include those that are licensed under Apache-2.0. Please use care and review SearchGuard's
+# license details before enabling any additional features here.
+
searchguard:
dynamic:
# Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
#filtered_alias_mode: warn
#kibana:
- # Kibana multitenancy - NOT FREE FOR COMMERCIAL USE
# see https://github.com/floragunncom/search-guard-docs/blob/master/multitenancy.md
# To make this work you need to install https://github.com/floragunncom/search-guard-module-kibana-multitenancy/wiki
#multitenancy_enabled: true
###### and here https://tools.ietf.org/html/rfc7239
###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
authc:
- kerberos_auth_domain:
- http_enabled: false
- transport_enabled: false
- order: 6
- http_authenticator:
- type: kerberos # NOT FREE FOR COMMERCIAL USE
- challenge: true
- config:
- # If true a lot of kerberos/security related debugging output will be logged to standard out
- krb_debug: false
- # If true then the realm will be stripped from the user name
- strip_realm_from_principal: true
- authentication_backend:
- type: noop
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
challenge: false
authentication_backend:
type: noop
- ldap:
- http_enabled: false
- transport_enabled: false
- order: 5
- http_authenticator:
- type: basic
- challenge: false
- authentication_backend:
- # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
- type: ldap # NOT FREE FOR COMMERCIAL USE
- config:
- # enable ldaps
- enable_ssl: false
- # enable start tls, enable_ssl should be false
- enable_start_tls: false
- # send client certificate
- enable_ssl_client_auth: false
- # verify ldap hostname
- verify_hostnames: true
- hosts:
- - localhost:8389
- bind_dn: null
- password: null
- userbase: 'ou=people,dc=example,dc=com'
- # Filter to search for users (currently in the whole subtree beneath userbase)
- # {0} is substituted with the username
- usersearch: '(sAMAccountName={0})'
- # Use this attribute from the user as username (if not set then DN is used)
- username_attribute: null
authz:
- roles_from_myldap:
- http_enabled: false
- transport_enabled: false
- authorization_backend:
- # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
- type: ldap # NOT FREE FOR COMMERCIAL USE
- config:
- # enable ldaps
- enable_ssl: false
- # enable start tls, enable_ssl should be false
- enable_start_tls: false
- # send client certificate
- enable_ssl_client_auth: false
- # verify ldap hostname
- verify_hostnames: true
- hosts:
- - localhost:8389
- bind_dn: null
- password: null
- rolebase: 'ou=groups,dc=example,dc=com'
- # Filter to search for roles (currently in the whole subtree beneath rolebase)
- # {0} is substituted with the DN of the user
- # {1} is substituted with the username
- # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
- rolesearch: '(member={0})'
- # Specify the name of the attribute which value should be substituted with {2} above
- userroleattribute: null
- # Roles as an attribute of the user entry
- userrolename: disabled
- #userrolename: memberOf
- # The attribute in a role entry containing the name of that role, Default is "name".
- # Can also be "dn" to use the full DN as rolename.
- rolename: cn
- # Resolve nested roles transitive (roles which are members of other roles and so on ...)
- resolve_nested_roles: true
- userbase: 'ou=people,dc=example,dc=com'
- # Filter to search for users (currently in the whole subtree beneath userbase)
- # {0} is substituted with the username
- usersearch: '(uid={0})'
- # Skip users matching a user name, a wildcard or a regex pattern
- #skip_users:
- # - 'cn=Michael Jackson,ou*people,o=TEST'
- # - '/\S*/'
- roles_from_another_ldap:
- enabled: false
- authorization_backend:
- type: ldap # NOT FREE FOR COMMERCIAL USE
- #config goes here ...
# auth_failure_listeners:
# ip_rate_limiting:
# type: ip
# Reason is that we currently parse the config file into a elasticsearch settings object which cannot cope with dots in keys.
# Workaround: Just configure something like '?kibana' instead of '.kibana' or 'my?index' instead of 'my.index'
# This limitation will likely removed with Search Guard 6
-
-# DLS (Document level security) - NOT FREE FOR COMMERCIAL
-# http://docs.search-guard.com/v6/document-level-security
-
-# FLS (Field level security) - NOT FREE FOR COMMERCIAL
-# http://docs.search-guard.com/v6/field-level-security
-
-# Kibana multitenancy - NOT FREE FOR COMMERCIAL
-# http://docs.search-guard.com/v6/kibana-multi-tenancy
+#
+# Some SearchGuard functionality is licensed under Apache-2.0, while other functionality is non-free;
+# see https://github.com/floragunncom/search-guard. The functionality enabled in this configuration
+# file only include those that are licensed under Apache-2.0. Please use care and review SearchGuard's
+# license details before enabling any additional features here.
# Allows everything, but no changes to searchguard configuration index
sg_all_access:
Code Review / clamp.git / commitdiff