...
The goal of the project is to provide consistent authentication, authorization and security to various ONAP components. AAF organizes software authorizations so that applications, tools and services can match the access needed to perform job functions. AAF is designed to cover Fine-Grained Authorization, meaning that the Authorizations provided are able to use an Application's detailed authorizations, such as whether a user may be on a particular page, or has access to a particular Pub-Sub topic controlled within the App. This is a critical function for Cloud environments, as Services need to be able to be installed and running in a very short time, and should not be encumbered with local configurations of Users, Permissions and Passwords. The sister framework CADI ( Code Access Data Identity ) allows Java Applications to utilize Identity Authentication methods as plugins. Certificate Manager delivers X509 X.509 certificates in support of 2 way x509 TLS.
Scope:
The scope of the AAF project is a plugable pluggable and extensible framework that
- Organizes software authorizations so that applications, tools and services can match the access needed to perform job functions.
- Provides Enterprise Level Authentication and Authorization
- Provides Role based authorization, including attribute-based authorization elements as well
- The frameworks exposure layer should be consumable by any product or technology.
- The frameworks should be highly available with a resilient data store
- Provides administration functions by GUI and management API's.APIs
- Provides consistent client plugins to access authentication and authorization frameworks functions
- Provides support for multi-tenancy
- Provides support for SSL Certificate management
- Provides support for OAuth2.
- Support Microservices ( Docker/Kubernetes )
- Provide hardware security plugin for storing private keys and for performing crypto cryptography operations that require private keys.
- Management of Secrets and Protection of secretsSecrets
CADI ( Code Access Data Identity) - Addresses the Runtime Elements of Access and Identity.
...
A Namespace, in AAF, is the ensemble of Roles, Permissions and Identities. Namespaces are known by domain, example com.onap.dcae or com.onap.appc and they are hierarchically managed.
A Namespace is assigned to an application. A namespace contains one or more roles and one or more permissions. By default, every namespace has an admin role
People in Namespaces
Tasks that the Owner (Responsible) must
...
perform:
- Owners receive by email a notification to Approve.
- Owners also receive notifications of time based activities
- Periodic Revalidation of Users in Roles in Namespace
- Periodic Revalidation of Permission in Namespace to Roles
...
- Create/Delete/Modify Roles in Namespace
- Add/Remove Users from Roles in Namespace
- Create/Delete/Modify Permissions in Namespace
- Grant/Ungrant (i.e. Revoke) Permissions in Namespace to any Role in the company (Cross Company Role Grants are possible, but require approvals from both sides).
...
- Type -
This is the core name of the Permission, and describe it's describes its kind. The type is "meta-data" it which is a reference to the kind of Resource that is to be protected
- Instance - The object that is being interacted withof the interaction. E.g. Database Table.
- Action - What is happening to that object. E.g. read, write, delete, etc.
...
- What other ONAP projects does this project depend on?
- Does not depend on any ONAP project.
- How does this align with external standards/specifications?
- X-.509 Certificates
- Are there dependencies with other open source projects?
Cassandra
- DME ( Direct Messaging Engine, developed by "AT&T Common platform" Team )
...
- link to seed code: https://github.com/att/AAF
- Vendor Neutral
- The current seed code has been already scanned ( Using using Fossology and Blackduck) and cleaned up to remove all proprietary trademarks, logos.
- Subsequent modification to the existing seed code should continue to follow the same scanning and clean-up principles
- Meets Board policy (including IPR)
...