Versions Compared

Old Version 1

changes.mady.by.user Amy Zwarico

Saved on

compared with

New Version Current

changes.mady.by.user Stephen terrill

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

PAGE STATUS: UNDER CONSTRUCTION

STATUS: Project Approved (next step is Architecture ApprovalDraft (seeking PTL approval)

AAF (Application Authorization Framework):

...

Drawio
bordertrue
viewerToolbartrue
fitWindowfalse
diagramNameCLAMP AAF System Context View
simpleViewerfalse
width
diagramWidth624754
revision1
The CLAMP functional entity provides the capability to manage runtime control loops
3


AAF (Application Authentication Framework) provides the services for authentication, authorization and certificate management for the ONAP components.  It provides the capability to

  • Create control loop from DCAE blueprint sent by SDC
  • Create configuration policy from the policy Tosca sent by SDC
  •  Configure DCAE applications of the control loop
  • Associate µService configuration policies to the DCAE application
  • Configure the operations to be taken by the control loop (by creating/updating/deleting operational policies)
  • Deploy/un-deploy control loop flow (blueprints) to DCAE
  • Control loop visualization. 

CLAMP relies on Policy to communicate to App-C/VF-C/SDN-C/SO in runtime, hence these are not part of CLAMP services to the ONAP components to manage the lifecycle of authentication and authorization elements such as Permissions, Roles and Credentials.  It supports:

  • Manage authentication and authorization elements such as: Perminssions, Roles, Credentials
  • Access to organizational entities
  • Manage the lifecycle of passwords and certificates
  • Access to external credential authoriites (e.g. CA)
  • Autogenerate ONAP certificates

2. API definitions

CLAMP provides AAF provides the following interfaces:

Interface NameInterface Definition Interface Capabilities
CLAMPE
VersionStatusConsumed Models
AAFE-1
Control Loop Lifecycle
Application Authorization Framework Management Interface
CLAMPE-2Control loop dashboard.  User interface to show the overall status of the control loop through DMAAP events

 Display and update:

Events received and actions taken on the control loop
  A user interface for:
  • Selecting the control loop flow
  • Entering configuration policy parameters
  • Entering operational policy parameters
  • Managing life cycle of DCAE control flow blueprint 
    • to be filled in



    AAFE-2Application Authorization Framework Authentication and Authorization Interface

     An interface for the ONAP components to:

    • to be filled in.



    Note:   xxxI interface is a Component internal interface.  xxxxE interface is a component external interface

    The current API documents can be found at:

    CLAMP consumes the following AAF Consumes no Interfaces:

    Interface NamePurpose Reason For Use
    SDCE-6To receive the Control Loop Blueprint from SDCTo receive
    PolicyE-2To create and configure the closed Loop Operational Policies and Configuration policies(DCAE Aps. Config.)
    DCAEE-x Retrieve DCAE appplication status
    DCAEE-y Deploy/remove DCAE application. 
    AAFE-3: AAF External Credential InterfaceAn interface to retrieve and authenticate using credentials from a credential supplier external to ONAP.

    The current API documents can be found at:

    • AAFE-1 (to be added)

    • AAFE2 (to be added)
    • AAFE3 (to be added)

    3. Component Description:

    A more detailed figure and description of the component.

    << For later inclusion >>Link to read the docs



    4. known system limitations: (IN PROGRESS)

    Runtime: None

    Clamp data redundancy is dependent on Kubernetes and the persistent volume.

    Clamp application redundancy HA relies on Kubernetes


    5. Used Models

    ...

    :

    ...

    • Service model (received from SDC)
    • VNF model (received from SDC)
    • Policy Model.

    (N/A)


    6. System Deployment Architecture

    ...

    AAF consists of x containers:

    • CLAMP container
    • MariaDB container
    • Kibana container
    • E_Search container
    • LogStash container 

    ...

    :

    FFS


    7. New Capabilities in this Release

    This release, AAF adds the following Capabilities:

    • AAF Locator differentiates public Fully Qualified Domain Name (FQDN) from Kubernetes FQDN

      • Internal Kubernetes FQDN generated when client declares its Container Namespace
      • Public FQDN are accessible for both:
        • GUIs/Management outside Cluster
        • Non-ONAP entities outside the Cluster
        • Other Clusters
    • Improved documentation and enhanced configuration
      • Example "Helm" init containers to setup Volumes
    • Refactored maintenance processes online for Open Source (meaning non company specific), including
      • Analysis of expiring Creds and Roles
      • Generation of Approval records
      • Notification of Approvals, Creds and Roles in an external company configurable way.


    8. References

    1.  AAF Overview & User Guide: https://onap.readthedocs.io/en/latest/submodules/clampaaf/authz.git/docs/index.html AAF internal interfaces:  https://onap.readthedocs.io/en/latest/_downloads/d3c9f924c6586fe411d40a05ad9b1bb7/swagger.pdf