Versions Compared

Old Version 11

changes.mady.by.user Marcin Przybysz

Saved on

compared with

New Version Current

changes.mady.by.user Marcin Przybysz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Currently VES supports 4 authentication methods:

noAuth  --> Works by default. No changes are required.

basicAuth      --> Works with/without https healthcheck endpoint (readiness) defined; DCAE healthcheck pass on either case. VES blueprint needs to be overwritten.
certOnly        --> Works only when https healthcheck endpoint (readiness) is removed from blueprint; DCAE healthcheck also pass (when readiness is not explicitly defined). VES blueprint needs to be overwritten.
certBasicAuth-->Works with/without https healthcheck endpoint (readiness) defined; DCAE healthcheck pass on either case. VES blueprint needs to be overwritten.

For Dublin, there is created separate jira (DCAEGEN2-1593) for documentation updates to include steps for deploying VESCollector with above authentication enabled.

Readiness support on certOnly mode can be dealt vwith healtchecks disabled. Support for healtchecks is planned as future enhancement (DCAEGEN2-1594).

For enabling TLS, as new application port is involved the service should be redeployed (by modifying the parameters in blueprint), esp when changing from noAuth to basicAuth/certOnly/certBasicAuth. The latter 3 types use 8443 while the noAuth uses 8080. Any changes within basicAuth/certOnly/certBasicAuth can be done through consul update as k8s deployment descriptor (which contains the service definition and healthcheck spec) are still validauthentication methods certBasicAuth. It is possible to run as a option noAuth method, hovewer HTTP it is not supported by default.


High level test cases for auth.method = "

...

certBasicAuth"  :

...

When application is setup for TLS and auth.method = "basicAuth", healthcheck endpoint must be using 8443 (change submitted to override and support 8080 for healthcheck is not required nor valid).

To change VES Collector flag to basic.auth and adopt healthhecks to use HTTPS, there is need to change VES blueprints. Steps:

  1. Copy attached k8s-ves-0529-secure.yaml file to ONAP Bootstrap node
  2. From Rancher node find bootstrap pod: kubectl -n onap get pod | grep -i bootstrap
  3. Login to found in point 1 pod: kubectl exec -it <bootstrap_pod_name> -n onap bash
  4. Uninstal VES: cfy uninstall ves
  5. Delete VES blueprint: cfy blueprints delete ves
  6. Overwrite VES default blueprint with copied k8s-ves-0529-secure.yaml: copy new bp - k8s-ves-0529-secure.yaml as /blueprints/k8s-ves.yaml
  7. Apply new blueprint: cfy install -b ves -d ves -i /inputs/k8s-ves-inputs.yaml  /blueprints/k8s-ves.yaml

...

Test Case Name

...

Test Case Description

...


T02
TC ID

Test Case Name

Test Case Execution

Expected Result  Test Status
T01Client with correct basic auth and correct certificatecurl -vk --cert cert.pem --key key.pem -u sample1:sample1 -X POST https://{xdcae-ves-collector_ip}:30417/eventListener/v7 -d @event.json --header "Content-Type: application/json"PASS. HTTP/1.1 202

Status
colourGreen
titlePASSED

T02Client with incorrect basic auth and correct certificatecurl -vk --cert cert.pem --key key.pem -u sample1:sample2 -X POST https://{xdcae-ves-collector_ip}:30417/eventListener/v7 -d @event.json --header "Content-Type: application/json"PASS. HTTP/1.1 202

Status
colourGreen
titlePASSED

T03Client without basic auth and with correct certificatecurl -vk --cert cert.pem --key key.pem -X POST https://{xdcae-ves-collector_ip}:30417/eventListener/v7 -d @event.json --header "Content-Type: application/json"PASS. HTTP/1.1 202

 http 504 method not allowed

Status
colourGreen
titlePASSED

T04Client with
correct basic
correct basic auth
and incorrect
and incorrect certificatecurl -vk
-u sample1:sample1 -X
--cert incorrect
_rootCA
.crt --key rootCA.key --pass collector -u sample1:sample1 -X POST https://
192.168.0.22
{xdcae-ves-collector_ip}:30417/eventListener/v7 -d @event.json --header "Content-Type: application/json"
PASS. HTTP/1.1 202http 504 method not allowedT03Client with correct basic auth and without
FAIL, connection closed because of bad certificate

Status
colourGreen
titlePASSED

T05Client with correct basic auth and without certificatecurl -vk -u sample1:sample1 -
X POST https://
192.168.0.22T04Client without basic auth and without certificateFAILT05Client without basic auth and with correct certificateFAIL
{xdcae-ves-collector_ip}:30417/eventListener/v7 -d @event.json --header "Content-Type: application/json"PASS. HTTP/1.1 202

Status
colourGreen
title

Completed

PASSED

T06Client with
incorrect basic auth and with correct certificateFAILT07Client with
incorrect certificate and incorrect basic auth
and without certificateFAIL 

...

curl -vk --cert

...

incorrect.crt --key rootCA.key --pass collector -u

...

dummy:sample1 -X POST https://

...

{xdcae-ves-collector_ip}:30417/eventListener/v7 -d @event.

...

json --header "Content-Type: application/json"

...

T02

...

FAIL, connection closed because of bad authentication

Status
colourGreen
titlePASSED

T07Client without certificate and without basic authcurl -vk -

...

X POST https://

...

{xdcae-ves-collector_ip}:30417/eventListener/v7 -d @event.json --header "Content-Type: application/json"FAIL, HTTP/1.1 401

Status
colourGreen
titlePASSED