Integration details
...
There will be a separate permission for traversal and resources web services. Let's call these permissions org.onap.aai.resources and org.onap.aai.traversal. For now we will not distinguish between different objects we could affect, so the instance will always be "*" meaning everything. Actions will be mapped to HTTP verbs - GET, PUT, POST, DELETE, PATCH.
For a seemless transition to AAF, the first roles we use for our clients will be called org.onap.aai.resources_all and org.onap.aai.traversal_all with read and write permission and org.onap.aai.resources_readonly and org.onap.aai.traversal_readonly with read only permission. These roles will be assigned to all users/applications which access A&AI web services.
| Role org.onap.aai.traversal_all | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
role create org.onap.aai.resources_all perm create org.onap.aai.resources * get org.onap.aai.resources_all perm create org.onap.aai.resources * put org.onap.aai.resources_all perm create org.onap.aai.resources * post org.onap.aai.resources_all perm create org.onap.aai.resources * patch org.onap.aai.resources_all perm create org.onap.aai.resources * delete org.onap.aai.resources_all user role add demo@people.osaaf.org org.onap.aai.resources_all #just an example, add role to the correct user role create org.onap.aai.resources_readonly perm create org.onap.aai.resources * get org.onap.aai.resources_readonly |
Open questions
- How are permissions and roles for traversal modeled? What are the requirements?
- How do we enable AAF since it has to have a connection to the windriver lab? Or we enable it only in special deployments?
- What are the variable configuration parameters of AAF? - the certificate, AAF server IP, permission names? Whaat to externalise to OOM?
- Who creates the roles and permissions during the new release, who and how maintains these scripts?
...