Table of Contents
...
-- latest diagram
-- to be replaced
| Gliffy | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
Security Functional Blocks
...
Note: during Istanbul, service-to-service (workload-to-workload) authorization will be configured first (high priority). Then, OOM will visit end-user-to-service (workload) authorization.
- The authorization policy enforces access control to the inbound traffic in the server side Envoy proxy. Each Envoy proxy runs an authorization engine that authorizes requests at runtime.
- When a request comes to the proxy, the authorization engine evaluates the request context against the current authorization policies, and returns the authorization result, either
ALLOWorDENY. - Istio authorization policies are configured using
.yamlfiles.
<source: https://istio.io/latest/docs/concepts/security/#authentication-policies>
Authorization policies support ALLOW, DENY and CUSTOM actions. The following digram depicts the policy precedence.
- CUSTOM → DENY → ALLOW
- in ONAP Istanbul, DENY and ALLOW will be configured first, as coarse-grained authorization. Then, CUSTOM action would be considered for fine-grained authorization in the future (as time allows).
<source: https://istio.io/latest/docs/concepts/security/#authentication-policies>
Example,
<source: https://istio.io/latest/docs/concepts/security/#authentication-policies>
Role-Based Access Control
...
The following diagram depicts ONAP Security Architecture.
| Gliffy | |||||||||
|---|---|---|---|---|---|---|---|---|---|
|
...
Note: during Istanbul, service-to-service (workload-to-workload) authorization will be configured first (high priority). Then, OOM will visit end-user-to-service (workload) authorization.
- The authorization policy enforces access control to the inbound traffic in the server side Envoy proxy. Each Envoy proxy runs an authorization engine that authorizes requests at runtime.
- When a request comes to the proxy, the authorization engine evaluates the request context against the current authorization policies, and returns the authorization result, either
ALLOWorDENY. - Istio authorization policies are configured using
.yamlfiles.
<source: https://istio.io/latest/docs/concepts/security/#authentication-policies>
Authorization policies support ALLOW, DENY and CUSTOM actions. The following digram depicts the policy precedence.
- CUSTOM → DENY → ALLOW
- in ONAP Istanbul, DENY and ALLOW will be configured first, as coarse-grained authorization. Then, CUSTOM action would be considered for fine-grained authorization in the future (as time allows).
<source: https://istio.io/latest/docs/concepts/security/#authentication-policies>
Example,
<source: https://istio.io/latest/docs/concepts/security/#authentication-policies>
Role-Based Access Control
...
- ONAP Next Generation Security Architecture, https://wiki.onap.org/pages/viewpage.action?pageId=103417456
- Istio Architecture, https://istio.io/latest/docs/ops/deployment/architecture/
- Istio Security, https://istio.io/latest/docs/concepts/security/#authentication-policies
- Service Mesh Risk Analysis, https://wiki.onap.org/display/DW/Service+Mesh+Risk+Analysis
- Service Mesh Impact on Project, https://wiki.onap.org/display/DW/Service+Mesh+Impact+on+Projects
- ONAP Security Model, https://wiki.onap.org/display/DW/ONAP+Security+Model
- Logging Architecture Proposal, https://wiki.onap.org/display/DW/Logging+Architecture+Proposal
- Logging Enhancements Project proposal, https://wiki.onap.org/display/DW/Logging+Enhancements+Project+Proposal
- SECCOM Container Logging Requirements, https://wiki.onap.org/display/DW/CNF+2021+Meeting+Minutes?focusedTaskId=239&preview=/93004634/100896899/2021-02-22_LoggingRequirementEvents_v8.pptx
| Gliffy | ||||||
|---|---|---|---|---|---|---|
|