From 8eeb5660ed71a76aa0dacbed3ee0ef0939c2c442 Mon Sep 17 00:00:00 2001 From: Jorge Hernandez Date: Mon, 19 Nov 2018 17:04:45 -0600 Subject: [PATCH] AAF documentation Change-Id: I3cab80a2305578625f550ed591135f19227a3afb Issue-ID: POLICY-1259 Signed-off-by: Jorge Hernandez (cherry picked from commit 367c1e79e700c30e3cfaf4dece64d3b6847bb3c2) --- docs/platform/aaf.rst | 267 ++++++++++++++++++++++++++++++++++++++++++++++++ docs/platform/index.rst | 1 + 2 files changed, 268 insertions(+) create mode 100644 docs/platform/aaf.rst diff --git a/docs/platform/aaf.rst b/docs/platform/aaf.rst new file mode 100644 index 000000000..a64afae16 --- /dev/null +++ b/docs/platform/aaf.rst @@ -0,0 +1,267 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 + +********************* +HTTPS and AAF Support +********************* + +.. contents:: + :depth: 3 + +The pap, console, pdp-x, brmsgw, and pdp-d components have been migrated from HTTP to HTTPS. Server certificates were derived from the AAF Root CA. + +AAF is supported for externally facing entry points into the Policy subsystem. These are: + +* PDP-D supports AAF for its telemetry and healthcheck APIs. +* PDP-X supports AAF for its external policy APIs. It is currently disabled as some of clients are not AAF-capable, and this is a global setting. +* Console (for Browser Portal redirects) supports AAF when accessed through Portal. + ++--------+------+------------+-----+-----+---------------------------------+ +| Policy | Role | Remote |HTTPS| AAF | Notes | ++========+======+============+=====+=====+=================================+ +| pdp-d |server| \* |true |true |Healthchek and Telemetry APIs | ++--------+------+------------+-----+-----+---------------------------------+ +| pdp-d |client| aaf |true |true |Two-way TLS | ++--------+------+------------+-----+-----+---------------------------------+ +| pdp-d |client| aai |true |true |Runtime Control Loop Execution | ++--------+------+------------+-----+-----+---------------------------------+ +| pdp-d |client| dmaap |true |false|Runtime Control Loop Execution | ++--------+------+------------+-----+-----+---------------------------------+ +| pdp-d |client| so |false|false|Not supported in so | ++--------+------+------------+-----+-----+---------------------------------+ +| pdp-d |client| vfc |false|false|Not supported in vfc | ++--------+------+------------+-----+-----+---------------------------------+ +| pdp-x |server| \* |true |false|Not all clients are AAF-capable | ++--------+------+------------+-----+-----+---------------------------------+ +| pap |server| \* |true |false|Not all clients are AAF-capable | ++--------+------+------------+-----+-----+---------------------------------+ +| console|server| portal |true |true |Redirected from portal | ++--------+------+------------+-----+-----+---------------------------------+ +| brmsgw |client| dmaap |true |false|Runtime Control Loop Execution | ++--------+------+------------+-----+-----+---------------------------------+ + +AAF Configuration +^^^^^^^^^^^^^^^^^ + +The default demo ONAP installation comes up bootstrapped with the following AAF data with regards to Policy. + +.. code-block:: bash + :caption: Bootstrapped AAF configuration + + Basic Permissions: + org.onap.policy.access * * + org.onap.policy.access * read + org.onap.policy.certman local request,ignoreIPs,showpass + + Portal Permissions (for UI purposes, administered by Portal team): + org.onap.policy.menu menu_admin * + org.onap.policy.menu menu_ajax * + org.onap.policy.menu menu_concept * + org.onap.policy.menu menu_customer * + org.onap.policy.menu menu_customer_create * + org.onap.policy.menu menu_doclib * + org.onap.policy.menu menu_feedback * + org.onap.policy.menu menu_help * + org.onap.policy.menu menu_home * + org.onap.policy.menu menu_itracker * + org.onap.policy.menu menu_job * + org.onap.policy.menu menu_job_create * + org.onap.policy.menu menu_job_designer * + org.onap.policy.menu menu_logout * + org.onap.policy.menu menu_map * + org.onap.policy.menu menu_notes * + org.onap.policy.menu menu_policy * + org.onap.policy.menu menu_process * + org.onap.policy.menu menu_profile * + org.onap.policy.menu menu_profile_create * + org.onap.policy.menu menu_profile_import * + org.onap.policy.menu menu_reports * + org.onap.policy.menu menu_sample * + org.onap.policy.menu menu_tab * + org.onap.policy.menu menu_task * + org.onap.policy.menu menu_task_search * + org.onap.policy.menu menu_test * + org.onap.policy.url doclib * + org.onap.policy.url doclib_admin * + org.onap.policy.url login * + org.onap.policy.url policy_admin * + org.onap.policy.url policy_dashboard * + org.onap.policy.url policy_dictionary * + org.onap.policy.url policy_editor * + org.onap.policy.url policy_pdp * + org.onap.policy.url policy_push * + org.onap.policy.url policy_roles * + org.onap.policy.url view_reports * + + PDP-D Permissions for Telemetry REST API access: + org.onap.policy.pdpd.healthcheck * get + org.onap.policy.pdpd.healthcheck.configuration * get + org.onap.policy.pdpd.telemetry * delete + org.onap.policy.pdpd.telemetry * get + org.onap.policy.pdpd.telemetry * post + org.onap.policy.pdpd.telemetry * put + + PDP-X Permissions for XACML REST APIs: + org.onap.policy.pdpx.config * * + org.onap.policy.pdpx.createDictionary * * + org.onap.policy.pdpx.createPolicy * * + org.onap.policy.pdpx.decision * * + org.onap.policy.pdpx.getConfig * * + org.onap.policy.pdpx.getConfigByPolicyName * * + org.onap.policy.pdpx.getDecision * * + org.onap.policy.pdpx.getDictionary * * + org.onap.policy.pdpx.getMetrics * * + org.onap.policy.pdpx.list * * + org.onap.policy.pdpx.listConfig * * + org.onap.policy.pdpx.listPolicy * * + org.onap.policy.pdpx.policyEngineImport * * + org.onap.policy.pdpx.pushPolicy * * + org.onap.policy.pdpx.sendEvent * * + org.onap.policy.pdpx.updateDictionary * * + org.onap.policy.pdpx.updatePolicy * * + + Basic Namespace Admin Roles: + org.onap.policy.admin + org.onap.policy.owner + org.onap.policy.seeCerts + + Portal Roles for UI: + org.onap.policy.Account_Administrator + org.onap.policy.Policy_Admin + org.onap.policy.Policy_Editor + org.onap.policy.Policy_Guest + org.onap.policy.Policy_Super_Admin + org.onap.policy.Policy_Super_Guest + org.onap.policy.Standard_User + org.onap.policy.System_Administrator + + PDP-D Roles: + org.onap.policy.pdpd.admin + org.onap.policy.pdpd.monitor + + PDP-X Roles: + org.onap.policy.pdpx.admin + org.onap.policy.pdpx.monitor + + Users: + demo@people.osaaf.org + policy@policy.onap.org + + +demo@people.osaaf.org and policy@policy.onap.org are properly configured with AAF in n a default ONAP installation. These are: + + +.. code-block:: bash + :caption: Default permissions for demo and policy accounts. + + List Permissions by User[policy@policy.onap.org] + -------------------------------------------------------------------------------- + PERM Type Instance Action + -------------------------------------------------------------------------------- + org.onap.policy.access * * + org.onap.policy.access * read + org.onap.policy.certman local request,ignoreIPs,showpass + org.onap.policy.pdpd.healthcheck * get + org.onap.policy.pdpd.healthcheck.configuration * get + org.onap.policy.pdpd.telemetry * delete + org.onap.policy.pdpd.telemetry * get + org.onap.policy.pdpd.telemetry * post + org.onap.policy.pdpd.telemetry * put + org.onap.policy.pdpx.createDictionary * * + org.onap.policy.pdpx.createPolicy * * + org.onap.policy.pdpx.decision * * + org.onap.policy.pdpx.getConfig * * + org.onap.policy.pdpx.getConfigByPolicyName * * + org.onap.policy.pdpx.getDecision * * + org.onap.policy.pdpx.getDictionary * * + org.onap.policy.pdpx.getMetrics * * + org.onap.policy.pdpx.list * * + org.onap.policy.pdpx.listConfig * * + org.onap.policy.pdpx.listPolicy * * + org.onap.policy.pdpx.policyEngineImport * * + org.onap.policy.pdpx.pushPolicy * * + org.onap.policy.pdpx.sendEvent * * + org.onap.policy.pdpx.updateDictionary * * + org.onap.policy.pdpx.updatePolicy * * + + List Permissions by User[demo@people.osaaf.org] + -------------------------------------------------------------------------------- + PERM Type Instance Action + -------------------------------------------------------------------------------- + org.onap.policy.access + org.onap.policy.access * read + org.onap.policy.menu menu_admin * + org.onap.policy.menu menu_ajax * + org.onap.policy.menu menu_customer * + org.onap.policy.menu menu_customer_create * + org.onap.policy.menu menu_feedback * + org.onap.policy.menu menu_help * + org.onap.policy.menu menu_home * + org.onap.policy.menu menu_itracker * + org.onap.policy.menu menu_job * + org.onap.policy.menu menu_job_create * + org.onap.policy.menu menu_logout * + org.onap.policy.menu menu_notes * + org.onap.policy.menu menu_process * + org.onap.policy.menu menu_profile * + org.onap.policy.menu menu_profile_create * + org.onap.policy.menu menu_profile_import * + org.onap.policy.menu menu_reports * + org.onap.policy.menu menu_sample * + org.onap.policy.menu menu_tab * + org.onap.policy.menu menu_test * + org.onap.policy.pdpd.healthcheck * get + org.onap.policy.pdpd.healthcheck.configuration * get + org.onap.policy.pdpd.telemetry * delete + org.onap.policy.pdpd.telemetry * get + org.onap.policy.pdpd.telemetry * post + org.onap.policy.pdpd.telemetry * put + org.onap.policy.pdpx.config * * + org.onap.policy.pdpx.createDictionary * * + org.onap.policy.pdpx.createPolicy * * + org.onap.policy.pdpx.decision * * + org.onap.policy.pdpx.getConfig * * + org.onap.policy.pdpx.getConfigByPolicyName * * + org.onap.policy.pdpx.getDecision * * + org.onap.policy.pdpx.getDictionary * * + org.onap.policy.pdpx.getMetrics * * + org.onap.policy.pdpx.list * * + org.onap.policy.pdpx.listConfig * * + org.onap.policy.pdpx.listPolicy * * + org.onap.policy.pdpx.policyEngineImport * * + org.onap.policy.pdpx.pushPolicy * * + org.onap.policy.pdpx.sendEvent * * + org.onap.policy.pdpx.updateDictionary * * + org.onap.policy.pdpx.updatePolicy * * + org.onap.policy.url doclib * + org.onap.policy.url doclib_admin * + org.onap.policy.url login * + +Disabling AAF +^^^^^^^^^^^^^ + +AAF is enabled by default in PDP-D installations. Set the AAF installation variable to false to disable it. + ++---------------+-------------------------+----------+---------------------------+ +| Repository | Install File | Variable | Notes | ++===============+=========================+==========+===========================+ +| policy/docker | config/drools/base.conf | AAF | Heat Installation | ++---------------+-------------------------+----------+---------------------------+ +| oom | config/drools/base.conf | AAF | OOM Installation | ++---------------+-------------------------+----------+---------------------------+ + +AAF can also be disabled at runtime within the PDP-D container by modifying the following files. + ++----------------------------------------------------+-----------------------------------------+ +| File | Property | ++====================================================+=========================================+ +| $POLICY_HOME/config/policy-engine.properties | http.server.services.SECURED-CONFIG.aaf | ++----------------------------------------------------+-----------------------------------------+ +| $POLICY_HOME/config/feature-healthcheck.properties | http.server.services.HEALTHCHECK.aaf | ++----------------------------------------------------+-----------------------------------------+ + +After modifying these files, restart the container with "policy stop; policy start" + + + +End of Document diff --git a/docs/platform/index.rst b/docs/platform/index.rst index 0bac8a09d..0d097717d 100644 --- a/docs/platform/index.rst +++ b/docs/platform/index.rst @@ -21,6 +21,7 @@ Policy Installation and Deployment installAmsterController.rst swarch_srm.rst deployment.rst + aaf.rst Policy Software Architecture ---------------------------- -- 2.16.6