Table of Contents
...
Note: during Istanbul, service-to-service (workload-to-workload) authorization will be configured first (high priority). Then, OOM will visit end-user-to-service (workload) authorization.
- The authorization policy enforces access control to the inbound traffic in the server side Envoy proxy. Each Envoy proxy runs an authorization engine that authorizes requests at runtime.
- When a request comes to the proxy, the authorization engine evaluates the request context against the current authorization policies, and returns the authorization result, either
ALLOWorDENY. - Istio authorization policies are configured using
.yamlfiles.
<source: https://istio.io/latest/docs/concepts/security/#authentication-policies>
Authorization policies support ALLOW, DENY and CUSTOM actions. The following digram depicts the policy precedence.
- CUSTOM → DENY → ALLOW
- in ONAP Istanbul, DENY and ALLOW will be configured first, as coarse-grained authorization. Then, CUSTOM action would be considered for fine-grained authorization in the future (as time allows).
<source: https://istio.io/latest/docs/concepts/security/#authentication-policies>
Example,
<source: https://istio.io/latest/docs/concepts/security/#authentication-policies>
Role-Based Access Control
...
| Gliffy | ||||||||
|---|---|---|---|---|---|---|---|---|
|
- xNF logs will be collected via the VNF collection agent (collector), and will be sent to the Aggregator.
- Application (ONAP component) logs will be collected via the application collection agent (collector), and will be sent to the Aggregator.
- Infrastructure logs will be collected via syslog collection agent (collector), and will be sent to the Aggregator.
- The aggregator can be processed/normalized log data to the centralized database. Note that the database could be one or multiple based on log data types. It would be system provider's deployment choices.
- Visualization can be centralized or distributed based on log data types.
...