Update OOM APPC chart to enhance AAF support

Added AAF config parameters and files needed to allow AAF to work in an APPC OOM environment.

Change-Id: I39f0769e721889a68c6a111adf29d685b9f97dbf
Issue-ID: OOM-1124
Signed-off-by: Aaron Hay <ah415j@att.com>

diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh
index a990739..18a2783 100755 (executable)
--- a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh
+++ b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh
@@ -55,6 +55,9 @@ APPC_HOME=${APPC_HOME:-/opt/onap/appc}
 SLEEP_TIME=${SLEEP_TIME:-120}
 MYSQL_PASSWD=${MYSQL_PASSWD:-{{.Values.config.dbRootPassword}}}
 ENABLE_ODL_CLUSTER=${ENABLE_ODL_CLUSTER:-false}
+ENABLE_AAF=${ENABLE_AAF:-false}
+AAF_EXT_IP=${AAF_EXT_IP:-{{.Values.config.aafExtIP}}}
+AAF_EXT_FQDN=${AAF_EXT_FQDN:-{{.Values.config.aafExtFQDN}}}
 
 appcInstallStartTime=$(date +%s)
 
@@ -143,8 +146,13 @@ then
         echo "" >> ${ODL_HOME}/etc/system.properties
 
         echo "Copying the aaa shiro configuration into opendaylight"
-        cp ${APPC_HOME}/data/aaa-app-config.xml ${ODL_HOME}/etc/opendaylight/datastore/initial/config/aaa-app-config.xml
-
+        if $ENABLE_AAF
+        then
+             echo "${AAF_EXT_IP} ${AAF_EXT_FQDN}" >> /etc/hosts
+             cp ${APPC_HOME}/data/properties/aaa-app-config.xml ${ODL_HOME}/etc/opendaylight/datastore/initial/config/aaa-app-config.xml
+        else
+             cp ${APPC_HOME}/data/aaa-app-config.xml ${ODL_HOME}/etc/opendaylight/datastore/initial/config/aaa-app-config.xml
+        fi
 
         echo "Restarting OpenDaylight"
         ${ODL_HOME}/bin/stop

diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/aaa-app-config.xml b/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/aaa-app-config.xml
new file mode 100644 (file)
index 0000000..31bc4e3
--- /dev/null
+++ b/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/aaa-app-config.xml
@@ -0,0 +1,120 @@
+<?xml version="1.0" ?>
+<!--
+###
+# ============LICENSE_START=======================================================
+# APPC
+# ================================================================================
+# Copyright (C) 2018 AT&T Intellectual Property. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+###
+ -->
+
+<shiro-configuration xmlns="urn:opendaylight:aaa:app:config">
+
+    <!--
+      ================================= TokenAuthRealm ==================================
+      =                                                                                 =
+      = Use org.onap.aaf.cadi.shiro.AAFRealm to enable AAF authentication               =
+      = Use org.opendaylight.aaa.shiro.realm.TokenAuthRealm                             =
+      ===================================================================================
+    -->
+    <main>
+        <pair-key>tokenAuthRealm</pair-key>
+<!--        <pair-value>org.opendaylight.aaa.shiro.realm.TokenAuthRealm</pair-value> -->
+        <pair-value>org.onap.aaf.cadi.shiro.AAFRealm</pair-value>
+    </main>
+
+
+    <!-- add tokenAuthRealm as the only default realm -->
+    <main>
+        <pair-key>securityManager.realms</pair-key>
+        <pair-value>$tokenAuthRealm</pair-value>
+    </main>
+
+    <!-- Used to support OAuth2 use case. -->
+    <main>
+        <pair-key>authcBasic</pair-key>
+        <pair-value>org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter</pair-value>
+    </main>
+
+    <!-- in order to track AAA challenge attempts -->
+    <main>
+        <pair-key>accountingListener</pair-key>
+        <pair-value>org.opendaylight.aaa.shiro.filters.AuthenticationListener</pair-value>
+    </main>
+    <main>
+        <pair-key>securityManager.authenticator.authenticationListeners</pair-key>
+        <pair-value>$accountingListener</pair-value>
+    </main>
+
+    <!-- Model based authorization scheme supporting RBAC for REST endpoints -->
+    <main>
+        <pair-key>dynamicAuthorization</pair-key>
+        <pair-value>org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter</pair-value>
+    </main>
+
+
+    <!--
+      ===================================================================================
+      =                                      URLS                                       =
+      = For AAF use <pair-value> authcBasic, roles[org.onap.appc.odl|odl-api\*]         =
+      = org.onap.appc.odl|odl-api|* can be replaced with other AAF permissions          =
+      = For default <pair-value> authcBasic, roles[admin]                               =
+      ===================================================================================
+    -->
+
+    <!-- restrict access to some endpoints by default -->
+    <urls>
+        <pair-key>/auth/**</pair-key>
+<!--        <pair-value>authcBasic, roles[admin], dynamicAuthorization</pair-value> -->
+        <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value>
+    </urls>
+    <urls>
+        <pair-key>/restconf/config/aaa-cert-mdsal**</pair-key>
+<!--        <pair-value>authcBasic, roles[admin]</pair-value> -->
+        <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value>
+    </urls>
+    <urls>
+        <pair-key>/restconf/operational/aaa-cert-mdsal**</pair-key>
+<!--        <pair-value>authcBasic, roles[admin]</pair-value> -->
+        <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value>
+    </urls>
+    <urls>
+        <pair-key>/restconf/operations/aaa-cert-rpc**</pair-key>
+<!--        <pair-value>authcBasic, roles[admin]</pair-value> -->
+        <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value>
+    </urls>
+    <urls>
+        <pair-key>/restconf/config/aaa-authn-model**</pair-key>
+<!--        <pair-value>authcBasic, roles[admin]</pair-value> -->
+        <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value>
+    </urls>
+    <urls>
+        <pair-key>/restconf/operational/aaa-authn-model**</pair-key>
+<!--        <pair-value>authcBasic, roles[admin]</pair-value> -->
+        <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value>
+    </urls>
+    <urls>
+        <pair-key>/restconf/operations/cluster-admin**</pair-key>
+<!--        <pair-value>authcBasic, roles[admin]</pair-value> -->
+        <pair-value>authcBasic, roles[org.onap.appc.odl|odl-admin|*]</pair-value>
+    </urls>
+    <urls>
+        <pair-key>/**</pair-key>
+<!--        <pair-value>authcBasic, roles[admin]</pair-value> -->
+        <pair-value>authcBasic, roles[org.onap.appc.odl|odl-api|*]</pair-value>
+    </urls>
+</shiro-configuration>
+

diff --git a/kubernetes/appc/templates/statefulset.yaml b/kubernetes/appc/templates/statefulset.yaml
index f440969..791d933 100644 (file)
--- a/kubernetes/appc/templates/statefulset.yaml
+++ b/kubernetes/appc/templates/statefulset.yaml
@@ -62,6 +62,8 @@ spec:
               value: "{{ .Values.config.configDir }}"
             - name: DMAAP_TOPIC_ENV
               value: "{{ .Values.config.dmaapTopic }}"
+            - name: ENABLE_AAF
+              value: "{{ .Values.config.enableAAF }}"
             - name: ENABLE_ODL_CLUSTER
               value: "{{ .Values.config.enableClustering }}"
             - name: APPC_REPLICAS
@@ -82,6 +84,9 @@ spec:
           - mountPath: /opt/onap/appc/data/properties/aaiclient.properties
             name: onap-appc-data-properties
             subPath: aaiclient.properties
+          - mountPath: /opt/onap/appc/data/properties/aaa-app-config.xml
+            name: onap-appc-data-properties
+            subPath: aaa-app-config.xml
           - mountPath: /opt/onap/appc/svclogic/config/svclogic.properties
             name: onap-appc-svclogic-config
             subPath: svclogic.properties

diff --git a/kubernetes/appc/values.yaml b/kubernetes/appc/values.yaml
index 4b47c63..1c20977 100644 (file)
--- a/kubernetes/appc/values.yaml
+++ b/kubernetes/appc/values.yaml
@@ -29,7 +29,7 @@ global:
 #################################################################
 # application image
 repository: nexus3.onap.org:10001
-image: onap/appc-image:1.3.0
+image: onap/appc-image:1.4.0-SNAPSHOT-latest
 pullPolicy: Always
 
 # flag to enable debugging - application support required
@@ -37,7 +37,10 @@ debugEnabled: false
 
 # application configuration
 config:
+  aafExtIP: 127.0.0.1
+  aafExtFQDN: aaf-onap-beijing-test.osaaf.org
   dbRootPassword: openECOMP1.0
+  enableAAF: false
   enableClustering: true
   configDir: /opt/onap/appc/data/properties
   dmaapTopic: SUCCESS