...
Spring boot 1.5.10 vulnerabilites | |||
Code Coverage Policy Enforcement | For aai-common, resources, and traversal we've enabled jacoco threshold to make sure that code coverage doesn't fall on a commit. This will prevent users from contributing code that would negatively impact the overall code coverage on a repo. Let's discuss enabling this across the board on all AAI repos. Update 11 April: James Forsyth and Venkata Harish Kajur - Look at automated PoC polling script, add test coverage. | ||
Release version | Need to discuss how we manage our release versions on our artifacts, including docker images and the various internal dependencies. Update 4 April: Currently using snapshot version for Dev branch; need US to remove ref to internal snapshots for each report; need US releasing current versions of each repo. Update 11 April: Plan release version next Wed after meeting, take all components as is then take patch for RC1 for those that are unversioned. Update 18 April: Order of release:
Update 9 May: Former user (Deleted) volunteered to automate script for producing the artifacts and verifying poms are on correct version or possibly use command line for Casablanca. | ||
Beijing Demo Hostnames | How should AAI hostnames/ports being configured in AAI clients? Are we still using aai.api.simpledemo.onap.org? How do we configure the toy certificates? Will there be a new hostname for clients who connect via MSB? Perhaps Former user (Deleted) can comment how other systems are handling these issues. If there will be multiple hostnames that clients can use to connect to AAI, should we configure SAN certificates for the demo (example: aai.api.simpledemo.onap.org:8443 and aai.msb.api.simpledemo.onap.org:10081). It is still unclear which system will serve as the demo CA to issue our server certs. Update 16 March: MSB will listen on port 443 - our clients will need to configure a new hostname for the MSB endpoint - https://msb-iag.onap:443 in k8 hostname:port need to be runtime configurable variables Will there be a CA for .onap hostnames? PATH1: Client → AAI aai.api.simpledemo.onap.org:8443 (HAPROXY) → AAI resources port 8447, AAI traversal 8446 (cert with subject aai.api.simpledemo.onap.org) - client needs to trust the signer of the onap.org CERT which currently is the openecomp.org CA PATH2: Client → msb-iag.onap:443 MSB → aai-ms.onap which is the same service, AAI resources port 8447j, AAI traversal 8446 (will be default, probably only path after Beijing) SAN (Subject Alternate Name) cert that allows both aai.api.simpledemo.onap.org and aai-resources.onap Tell clients to disable hostname verfication? Huabing: I guess we just use ssl for encryption, but not for the authentication until ONAP has an internal CA available. Update 21 March: Client → (https) MSB → (https private key + self-signed certificate) ESR → (https) AAI Update 17 April: AAF has signed a new certificate which we will be releasing with our new artifacts and docker images for RC0. Francis Paquette - Follow up with the sparky certificate | ||
JanusGraph across all AAI mS | Plan to merge janusGraph support for the resources and traversal microservices (should be done by meeting time). Need to make sure we have alignment across all configs to use the Janus libraries and create Janus tables in cassandra at AAI spin up either in HEAT or OOM. Need to up date resources/traversal/champ configs - anywhere else? Update 28 March: Steve Blimkie / Venkata Harish Kajurto coordinate for OOM and test config. Update 11 April: Venkata Harish Kajur to work with Marco to see if can be done in the lab. | ||
Update dmaap dependencies | In the various repos that still use com.att.nsa, it should be: <groupId>org.onap.dmaap.messagerouter.dmaapclient</groupId> <artifactId>dmaapClient</artifactId> <version>1.1.3</version> - AAI-841Replace dmaapclient dependency Open Update 9 March: Event-client recently added to ONAP (found in pom.xml); Tian Lee to update to use the latest version (1.1.3) in pom.xml. Recommendation is to use the aai.event.client instead of dmaap client. Please update each of your own micro services. Update 16 March: Venkata Harish Kajur to complete resources, traversal. | ||
Babel | Damian Nowak | Tian Lee provided an overview of Babel. Damian requested documentation, Tian Lee and CT Paterson suggested some docs that can be provided. Models come into AAI thru babel, so changes to the models must be made in SDC. Nokia is interested in model changes for 5G PNF support. Clarified difference between service/resource models and schema. Tian Lee working with Damian - adding model to OXM, liasing with SDNC for models containing pnfs - will run thru Babel to see if additional work is needed; Olaf Burdziakowski working with Damian Nowak regarding pnfs needed 3/02: Schema changes and defined APIs needed by next Thu (8 March). Update 8 March: Gerrit review https://gerrit.onap.org/r/#/c/34489/ is awaiting feedback from Olaf Burdziakowski Update 9 March: Olaf Burdziakowski updated OXM; Successfully tested the OXM updates in lab: set up aai instance, called API. Any issues reach out to Venkata Harish Kajur or James Forsyth. Leave this item for future meetings. | |
Nexus IQ | Anything Red for Security Issues and License Analysis need to be fixed in order to pass M4 (29 March). Vulnerabilities due to AJSC need to have a plan on how to mitigate. James Forsyth has created parent story in JIRA for each repo; need each repo owner to bring us in to full compliance. JIRA labels added: Security, AJSCDependency By M3 (9 March) need to have plan on how to mitigate. Nexus IQ higher priority than CII Badging. Venkata Harish Kajur to provide Richard Epp with guidance on Spring Boot templates. 3/02: Richard Epp uploaded spreadsheet containing next candidates if vulnerabilities still exist. Update 9 March: GREAT progress on this item - we replaced the AJSC dependencies with Springboot 1.5.1 and have cleared all critical issues from resources, down to only 2 in Update 9 March: Main work needed for M4. Venkata Harish Kajur working on aai.com; majority are related to AJSC, which has been dropped and replaced with spring boot 1.5.10. Venkata Harish Kajur has few changes still needed in pom.xml of change of parent pom (AJSC to spring boot) and AJSC dependencies to spring boot. Aai.service – possibly remove as no longer used; Venkata Harish Kajur to email Jimmy on removal. Please review your responsible app and any questions send to James Forsyth. Update 14 March: Deadline for this for all repos is 24 March. This means all dependencies that can be upgraded will have been merged by 24 March. Any policy violations that cannot be cleare will be tracked here: AAI R2 Security/Vulnerability Threat Template Colin Burns will provide a mitigation strategy by 21 March Update 21 March: Wiki page: AAI R2 Security/Vulnerability Threat Matrix created under R2 Release Planning. Please add to the matrix if your app will not make the remediations needed for Sev 7, 8, or 9 before code freeze. We will not pass M4 unless we have a plan in place. Also alert James Forsyth if your app is not going to make it in time. Update 4 April: Discuss next week Risk vs Benefits along with level of confidence on changes made late in cycle. Update 18 April:James Forsyth - Write JIRA ticket for http4.5 event-client; Zi Li - Needs to check Nexus IQ report for ESR server; Venkata Harish Kajur - Look @ Nexus-IQ common report - high priority. Update 2 May: Will be using release common 1.2.4, all should go through all dependencies to aai.com to use 1.2.4; James Forsyth to host troubleshooting session right after today's meeting to work though open issues on Nexus IQ report. Update 9 May: For Casablanca, severe category will become an issue; anything above 4 will need to be eliminated. | ||
CII Badging | Wiki page with instructions on the process: CII Badging Program We have two CII Badging submissions currently active on CII Best Practice Badge Program: 1) AAI and 2) Sparky-fe The team needs to decide how to split up the project - AAI is too big to fit under a single project. James Forsyth proposes the following breakdown for CII badging: 1) AAI core (REST providers and common code): James Forsyth - Project created, ongoing progress.
2) GUI - Arul Nambi - Need to include more repos to the current "front-end" project
3) Model loader - Tian Lee / Mark Tooski- Need to create projects
4) ESR - Zi Li - Project is created, still ongoing process to meet all the requirements
The idea is that we assign one key person who will be responsible for getting the badge on their set of repos. This is just a suggestion, and I invite discussion, re-categorization, and complete rewrites. Owners of the sets can decide whether it makes sense to group sets into one CII badging request, or split. Every repo above must be included in 1 CII submission. 23 Feb: Need readout next week per repo as to where we stand and how we can close before M4 (3/29). Zi Li and Arul Nambi will work together to see if same kind of scan will work for both components 2 March: SONAR will not report on java script based so those need to be run manually via another tool locally. Update 3/8: Urgent - need to document our plan and have a commitment to get to 50% coverage by m4. Preferably sooner to prevent giving your PTL a heart attack. Offending repos:
ALSO: if your repo is part of Beijing but is NOT part of the SONAR scan, (Venkata Harish Kajur, graphadmin leaps to mind) please fix that ASAP Update 9 March: Steve Blimkie needs James Forsyth’s signoff on moving small libraries within event and rest clients to aai.core; Spike and Gap not used in Beijing; Tian Lee to create project for Model loader; may need secondary URL describing model-loader but point to aai.core. Gizmo – Giulio Graziani requesting adding it to his team's work list. Common – Venkata Harish Kajur working on Router-core – AMDOCs to work Update 16 March: James Forsyth to verify on PTL call if all vulnerabilities 4 or above need to be cleared in order to pass. Update 21 March: Title of project must have ONAP as the first word; Mark Tooski to pickup Tian Lee's action items while he is out. Update 4 April: We are at 97% | ||
Issue 1 - Parsing of YAML file into RST format Richard Epp to send yaml file via email to Pavel and attach to wiki so all can see. YAML file too large and resulting RST file cannot be read by readmedoc causing it to be unusable. Issues parsing the YAML file into RST format - structure is not correct - structure of YAML file must follow SWAGGER structure. Issue 2 - Exposing AAI Swagger through MSB Suggestion of using MSB portal with link of file to readmedoc. How to display REST APIs via the swagger UI integrated with MSB: https://wiki.onap.org/display/DW/Microservice+Bus+API+Documentation#MicroserviceBusAPIDocumentation-APIDefinitionandSwagger-UI Will need to continue as open item until resolved. Contact Zi Li / Former user (Deleted) for more information about integration. Just require the swagger JSON file for integration - Richard Epp please provide the JSON to Zi Li - Zi Li - please download the yaml file above and see if you can make use of it in MSB Note: Alternate Swagger UI service already available. Huabing - Please refer to the below comments for session sticky and AAF plugin progress 2018-02-16: Generator of the RST can't find the definitions (there is a getDefinitions and patchDefinitions) and parser can't deal with it. Generator only can parse ASCII and there are characters outside the ASCII set. PATCH and GET methods can possibly be split into their own files. Richard Epp will look into installing swagger UI in Windriver lab; Venkata Harish Kajur knows how to access, contact Stephen Gooch for access 23 Feb: Richard Epp split up the files; James Forsyth uploaded network put and get (RST files) which Passed. Will do REST next. Richard Epp to get access to JIRA (LF) Venkata Harish Kajur to provide guidance to Richard Epp on setting up Dev env locally. 2 March: Richard Epp uploaded all RST files to wiki yesterday; not able to run GET commands, will work on Permissions issue. Update 8 March: Richard Epp was OOO this week, need to close on this one soon. Also need to regenerate based on the current v13 schema files (including pending commits that aren't merged yet) Update 16 March: Follow-up needed with Richard Epp Update 21 March: Richard Epp will add to Gerrit before next Thu in time before M4; will use git review. He will reach out to James Forsyth if any issues encountered. Update 4 April: Richard Epp and Rich Bennett discussed, no path forward. James Forsyth to ask for continued exception for our documentation. James Forsyth to create US for v12 versus v13. Update 17 April: New format for Casablanca, we might do it for Beijing because it works better for us: Example New Offereapis Page | |||
Jenkins | Release jenkins jobs are still failing. Helpdesk ticket # 52082 Changes to AAI-COMMON not picked up by downstream projects (resources, traversal) Unable to release aai-common, as cannot release multiple times, without incrementing the version. Liasing with ONAP helpdesk about whether we can release multiple minor versions of an artifact. Proposal for Monday PTL meeting to align SNAPSHOT strategy Venkata Harish Kajur to include Steve Blimkie on email exhange with ONAP Help desk. 2018-02-16: James Forsyth raised on the PTL call on Monday. Decision is to use SNAPSHOT for Beijing development, currently we're setting our snapshot as 1.2.1 Disabled the daily jobs (which fail because the snapshot/staging artifacts don't exist). Removed all amsterdam jjb jobs. Need a better plan for Casablanca. 23 Feb: Steve Blimkie will check on dependency and fix. Update 9 March: Steve Blimkie provided fix: Need better plan for Casablanca. Update 21 March: James Forsyth will cut releases upon return from CA. Update 18 April: LF is going to turn off the daily docker build job in Jenkins - there will a weekly build, but a new docker will be built when there is a merge. | ||
MSB Integration Status | The MSB AAF auth plugin Might need a plugin in MSB to achieve stickiness of requests Huabing asked Jonathan Gathman about AAF API - further details required. 2018-02-16: Adrian Slavkovsky is waiting for MSB fixes - stickyness/ip_hash load balancing doesn't work. kube2msb registrator doesn't register ports correctly. We need to socialize the hostname that clients will use - follow up with Former user (Deleted) and other teams about how this will work. James Forsyth will raise the issue on next Monday's PTL call. 23 Feb: Adrian Slavkovsky to follow-up and provide feedback next meeting. 28 Feb: Huabing update Adrian Slavkovsky James Forsyth
3 March: Former user (Deleted) to fix issue with ip_hash. Update 9 March: Vijay Kumar scheduled12 March meetingto go over changes; trying to get MSB into OAM project; security issue getting MSB with AAF. Update 16 March: Adrian Slavkovsky merged changes, will do same for heat templates next week. | ||
Cassandra Clustering | Goal - provide HA to AAI Issue 1 - remote storage Meetings with Michael O'Brien - (deprecated as of 20170508) - use obrienlabs OOM team should check the video recording of the session @Michael O'Brien - (deprecated as of 20170508) - use obrienlabs will arrange further meeting on Monday Issue 2 - simulating outage Pavel + Harish will try to simulate on Monday We have a 3 node replicated cluster configured with local storage; need to discuss if this will be adequate to the purpose of Beijing integration testing. - AAI-539Set up Cassandra docker images in 3 node cluster OPEN - OOM-591AAI needs persistent volumes configured, need help with OS in lab REOPENED Michael O'Brien from OOM team will assist w/ OOM-591 Michael O'Brien to respond back to Harish’s email and setup meeting on Monday 10 AM; Will put on OAM discussion page so others interested can attend. https://lists.onap.org/pipermail/onap-discuss/2018-February/007954.html https://lists.onap.org/pipermail/onap-discuss/2018-February/007955.html 2016-02-16: Working cluster; titan + thrift allowed us to use Cassandra 3. Janus will not have thrift requirement. 23 Feb: Venkata Harish Kajur has connection ready; will test after node fails; will work with Former user (Deleted). 2 March: Venkata Harish Kajur to test node failure next week and advise findings. Update 9 March: Venkata Harish Kajur testing indicates cluster not working properly, will look into Cassandra configuration. Update 16 March: Venkata Harish Kajur made significant progress, all working as expected; Adrian Slavkovsky would like use case guidance, James Forsyth to provide contact Update 21 March: Bill Pezzuti to send use case to Adrian Slavkovsky and Former user (Deleted) Update 11 April: Venkata Harish Kajur to follow-up with getting clarification on the ask from Karen Jacobs. Update 18 April: OOM job is merged |
...
Action items
- James Forsyth - Investigate CSIT jobs for validating services.
- James Forsyth and Venkata Harish Kajur - Look at automated PoC polling script, add test coverage.
- James Forsyth - Look at reporting vulnerabilities of Janus Graph
- James Forsyth - Write JIRA ticket for http4.5 event-client
- Francis Paquette - Follow up with the sparky certificate
- Zi Li - Look at AAI-1096 and provide fix
- James Forsyth will reach out to Victor and Shankar on access to A&AI lab
- William LaMont to update demo wiki page and work with Matej Perina on his setup.
- James Forsyth to document on Using AAI in OpenLab - "In Reply - post your verification was successful and working"
- Shirley Morgan to invite Andrew Muller to next week's meeting for talk on data grooming
...