...
API gateways such as Kong have emerged as a useful technology for exposing and controlling service endpoint access for applications and services. When a Control Loop Type is onboarded, or when Control Loop Instances are created in the Participants, CLAMP can configure service endpoints between Control Loop Elements to redirect through an API Gateway.
...
At runtime, the CLAMP can configure the API gateway to enable (or deny) interactions between Control Loop Instances and individually for each Control Loop Element. All service-level interactions in/out of a Control Loop Element, except that to/from the API Gateway, can be blocked by networking policies, thus sandboxing a Control Loop Element and an entire Control Loop Instance if desired. Therefore, a Control Loop Element will only have access to the APIs that are configured and enabled for the Control Loop Element/Instance in the API gateway.
For some Control Loop Element Types the Participant can assist with service endpoint reconfiguration, service request/response redirection to/from the API Gateway, or annotation of requests/responses.
Once the Control Loop instance is instantiated on participants, the participants configure the API gateway with the Control Loop Instance level configuration and with the specific configuration for their Control Loop Element. Therefore, a Control Loop Element will only have access to the APIs that are available over the configured API gateway.
Monitoring and logging of the use of the API gateway may also be provided. Information and statistics on API gateway use can be read from the API gateway and passed back in monitoring messages to the CLAMP runtimeto the CLAMP runtime.
Additional isolation and execution-environment sandboxing can be supported depending on the Control Loop Element Type. For example: ONAP policies for given Control Loop Instances/Types can be executed in a dedicated PDPs; K8S-hosted services can executed in isolated namespaces or in dedicated clusters; etc..
Sandboxing using an API gateway is implemented in the Participant Intermediary. In order to remove the possibility for Participant Implementations to access and configure the API gateway, the Participant intermediary handles interaction with the API gateway.
4.4 Security and Multi Tenancy
- User authentication to use CL runtime (Normal ONAP authentication)
- User authentication on participants (Certs?)
- Tenant definition on Control Loop Element, each CLE should be assigned to a tenant
- User should be authorized to have access to the tenant of the CLE
- API gateway configuration should match that of tenant
5 APIs and Protocols
The APIs and Protocols used by CLAMP for Control Loops are described on the pages below:
...