From: pkaras Date: Fri, 12 Apr 2019 11:08:48 +0000 (+0200) Subject: security related documentation moved to buscontroller X-Git-Tag: 1.0.26~7^2 X-Git-Url: https://gerrit.onap.org/r/gitweb?p=dmaap%2Fdbcapi.git;a=commitdiff_plain;h=198486f728dd14e0c65ff7c995e5a3173596995a security related documentation moved to buscontroller Change-Id: Id6becd889f890210dd4a2f7a83d0b13797e301bd Issue-ID: DMAAP-1115 Signed-off-by: piotr.karas --- diff --git a/docs/api.rst b/docs/api.rst index 7f187d4..9eab4da 100644 --- a/docs/api.rst +++ b/docs/api.rst @@ -4928,54 +4928,3 @@ Topic Model Structure topicName | No | string | | | the short name used by humans, and utilized to construct the `FQTN` version | No | string | | | a hook for any versioning needed for managing a `Topic` over time -Security -~~~~~~~~ -As default security is in Dmaap Bus Controller disabled. - -Enable ------- -Settings to turn on security is in file dmaapbc.properties. The file is located in OOM project in path: ./oom/kubernetes/dmaap/components/dmaap-bc/resources/config/dmaapbc.properties -During deployment the the file is placed into ConfigMap XXX-dmaap-bus-controller-config (XXX depend on deployment setup). The config map is linked to volume with read only permission so it can not be changed from pod level. -Ater updating ConfigMap the bus controller pod needs to be restarted. - -Settings -++++++++ - -In the dmaapbc.properties for security settings there is a main flag: - -1.UseAAF: true - -If set to true then creating topic also will create required perms in AAF. The perms will be created in org.onap.dmaap.mr. -The last element -mr- is related to another setting - MR.projectID . - -Example: - Topic name: - aSimpleTopic - Permitions - org.onap.dmaap.mr.topic|:topic.org.onap.dmaap.mr.aSimpleTopic|pub - org.onap.dmaap.mr.topic|:topic.org.onap.dmaap.mr.aSimpleTopic|sub - org.onap.dmaap.mr.topic|:topic.org.onap.dmaap.mr.aSimpleTopic|view - - -Hint: User defined in the certificate of cadi (property:cadi.properties, user:dmaap-bc@dmaap-bc.onap.org) needs to have permissions to create and view such topics (org.onap.dmaap.mr.topic|*|*). - - -Authentication is using CADI - -CADI confilguration is stored in CADI files. Location of the files is defined in varaible: -cadi.properties: /opt/app/osaaf/local/org.onap.dmaap-bc.props - -The configuration is a mandatory and missing parameter or file cause exception. - -Authorization is done by CADI - configuration is required as above - -Call to bus controller needs to have given user credentials. The user ich checked in AAF for permission to call topic. -The check is done in org.onap.dmaap-bc.api according to ApiNamespace setting. - -Hint: User defined in the certificate of cadi (property:cadi.properties, user:dmaap-bc@dmaap-bc.onap.org) needs to have permission to read the namespace (org.onap.dmaap-bc.api.access|*|read). - - -2.UseAAF: false - -For backward compatibility, if AAF flag is turned off the previous implementation is enabled based on AuthorizationFilter and ApiPermission class. -This filter switching has been made due to the technology differences: Jersey filters do not implement directly servlet API, but CADI filter is based on it. \ No newline at end of file